Windows Analysis Report
msgde.exe

Overview

General Information

Sample name: msgde.exe
Analysis ID: 1581169
MD5: c9536d9bb5c51fe2741cbf206531c13b
SHA1: 5e4e1d68dd06301cf7810fa04589917aadfefad7
SHA256: 1dff2a45e9861cdcb8741dd196123e32e2b9004b950ee21b9bacc9f99be14fdc
Tags: exeQuasarRATuser-lontze7
Infos:

Detection

Quasar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Quasar RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to detect virtual machines (STR)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Quasar RAT, QuasarRAT Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
 https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: msgde.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Windows\System32\SubDir\Client.exe Avira: detection malicious, Label: HEUR/AGEN.1307453
Found malware configuration
Source: msgde.exe Malware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "185.228.82.21:4782;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "59c47ccd-e59a-4ccb-933e-f1094e43684c", "StartupKey": "msgde", "Tag": "Office04", "LogDirectoryName": "Logs", "ServerSignature": "gx7d1UNgEosrDg5gp7yCBdDPFyrfijigq/eQ9gXjaii0JzhRQ8aawZoiP3wOVeYbSpZ7gkiDEQKSzXqAlc4MZB6jfyGF6+9F99dqzGp6uoMqxJSPtUE6pRX91BET1SV1ZLJfSkmu1awbM/UFmTCxlYxmy1hA+0hyvXjPFsE2uPfAnFOpZm5VMpWbYwE6j7ci18Wh552cmaQdAk31cHNfsBgVbh+MllrUmqJdLwWFATmOx5Aqe7uOjwlnvwFZUUM+f7SX3F+9+STqMi4miZmEGqCKDyyh0WFiioTvpU1ukAGGZo8UxehqoiZ1E4NuZifDGVyFHay3r0fkJdG5K9Ux61DV987BV0cyLrNZR7mUbFct/anWX5/P1Hv4h4fU0TNtL4UuE3Fs3z0YMUw5fuRC7KkzPOlc7Ceth0IYSRhyEB/v1kZ+OmP3RP2kKGajiiifvl3dLYrkqFJYq0bRB4I/TZUEGK8UxElrjMrw+HHDGde2n9kwhU021qrXe6XmDg497qBYFB4oPpDhe00Xe7C8M4+5AzY/tFrOEMzFe3N4FBGn6cuLy0QTxntSlDnZhbrB0r6rPk+7SiYsVNHKu7m5S8PZ1rnUPjG1SQ7OvUtu0X574BA/EaIgqF4MS1hdK3h0pc43qNkR+Bc2zPI8iT7DRXfGjJhEUexohYM2Hdl2YMU=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQANEFY7Q4l5U1NM1L4Fc0SzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTIyNDE4Mzc1NFoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmgeEthvytsES4HeJP8k3vHwFUevzoExDs3SXbmXznaCg1vSXN+wDfjMbMs8HMvH4JDovs40XwSX1+/jEjfGCNYgqhiFh6FKmnFJ9rieNMYOZhE/6D56VFwKmZGvoyJHp9iub6PU7zCeavlaFnP4m22evxEbToE/SqIoVVvxVVIMLw+dGSfaxP1WKUGL/+FXQz1XsSm5FE/ilkoV+rZXRlU5PJRAmL628om/l7C7tcPU/IVxlzoNwli441FreQCeaDaL3Ps8zDQ+oVYP420rLnV3F7T38JgyP3cpWBlLau1aaPfzkN36+WinE/qR/24/0XAGW8wzdI7yFtwkvUy9GDvP1pyilD6WLSohoyfFLPN5ZzwDKZ+KJRAhjBBfuE3TMiXn09PU+kApX+oihb7eE75U41TqfN1Ej+php82u0b6QmazARNqyo3DpBaD72Sr8xuo700SnzWM2T//QJX6vAs9MsutUVHYIC3P50vXnpKF7hQBhsc5TudN5lE87tR3np5jojQehdvQw7GnZp628n3v+gKpJMZQJH2zB7ETNnm2GOjR9dIRZuTaNUDZAO3ADYWM2NSGh1GszFJJcRm0IQnuDU8c4GrvA9g8HT6uXzTyStiglbtbwiBfWNZxqEMxatNT4xy2xsnRKceDw0jRN9XFDlB88duawiiv4vANOfMGMCAwEAAaMyMDAwHQYDVR0OBBYEFMvquHaJMbiR92fyju6JA0wGjtN8MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAI4NZX2fA8uu1V7pGDRzUM2d6YLalGm3E1JT8QeHhasPtnusRzckfDSciLYudo0BxfmHkJqmyiMwFnTlVc34txB/nmu3GDCaxUG/I2iZS2cZn5wnypkyKnaaQJegFH2YDYXwGkQA8BEN1rfuwyA1I23S8z81Jb/J5yHr1s3c3ONjoGsfYBD+vbTXSqdAKMHS8EYPN1/27iKKH7k8x5w07Kj1zqSmkYw3Y8MnbLQhyycAbNA1NM2KLrQiwKq2keSWeaZFyXAoxoIF4uriwD6F3AZYgjbse+hnIqnFCAaJ9FBQ+LHQINgWouAmU4YHDOie63CS4bVz+kl7rgtkzFuZvGARjIPqWY19UrpvySRNIfkHHIbNceP5D+XUZDpRs1StrHRThoxGUZtM/gkL86I8ab+m9tCT9AVkJSa2Hp2Wwp+a8bwg6Cr+eS3IlBY0MbQ7IP43Xs83ThArPU1o/hnfS89r+EbFLy+ovEl3ksz1t/CxYEu9+9+FB8weIbZcWJqNDzb1dsd2cLkJ25OXn+gDu+wUAs/JXUdz63EV99MNv01z3gQAbwVxZFxLb9DOeh1+oIt1IMUBCRQUAtH9wTdwkCWIRs5mOHpis+f8hw5ZOrTG7qToaMLbayYS6mmtWG9ffuO6Z7MP4RfKvtlqRyhJ50R84dOSOl7ROj0itYrppQ2V"}
Multi AV Scanner detection for dropped file
Source: C:\Windows\System32\SubDir\Client.exe ReversingLabs: Detection: 81%
Multi AV Scanner detection for submitted file
Source: msgde.exe ReversingLabs: Detection: 81%
Source: msgde.exe Virustotal: Detection: 81% Perma Link
Yara detected Quasar RAT
Source: Yara match File source: msgde.exe, type: SAMPLE
Source: Yara match File source: 0.0.msgde.exe.390000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1676092019.00000000006B0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2930408585.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1701589360.000000001B2B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1675739025.0000000000392000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: msgde.exe PID: 3320, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 5968, type: MEMORYSTR
Source: Yara match File source: C:\Windows\System32\SubDir\Client.exe, type: DROPPED
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Windows\System32\SubDir\Client.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: msgde.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: msgde.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 108.181.61.49:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: msgde.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 185.228.82.21:4782 -> 192.168.2.4:49730
Source: Network traffic Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 185.228.82.21:4782 -> 192.168.2.4:49730
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 185.228.82.21
Yara detected Generic Downloader
Source: Yara match File source: msgde.exe, type: SAMPLE
Source: Yara match File source: 0.0.msgde.exe.390000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Windows\System32\SubDir\Client.exe, type: DROPPED
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 185.228.82.21:4782
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 108.181.61.49 108.181.61.49
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ACCESS2ITNL ACCESS2ITNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: ipwho.is
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.82.21
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.82.21
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.82.21
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.82.21
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.82.21
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.82.21
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.82.21
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.82.21
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.82.21
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.82.21
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.82.21
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.82.21
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.82.21
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.82.21
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.82.21
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: ipwho.is
Source: Client.exe, 00000003.00000002.2935406595.000000001B382000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: 77EC63BDA74BD0D0E0426DC8F80085060.3.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: Client.exe, 00000003.00000002.2936492564.000000001B6EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabb~
Source: Client.exe, 00000003.00000002.2930408585.0000000002E54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ipwho.is
Source: Client.exe, 00000003.00000002.2930408585.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: msgde.exe, 00000000.00000002.1699756712.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000003.00000002.2930408585.0000000002AB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: msgde.exe, Client.exe.0.dr String found in binary or memory: https://api.ipify.org/
Source: Client.exe, 00000003.00000002.2930408585.0000000002E3B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ipwho.is
Source: msgde.exe, Client.exe.0.dr String found in binary or memory: https://ipwho.is/
Source: msgde.exe, Client.exe.0.dr String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: msgde.exe, Client.exe.0.dr String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: msgde.exe, Client.exe.0.dr String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown HTTPS traffic detected: 108.181.61.49:443 -> 192.168.2.4:49732 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Windows\System32\SubDir\Client.exe Windows user hook set: 0 keyboard low level C:\Windows\system32\SubDir\Client.exe Jump to behavior

E-Banking Fraud
barindex
Yara detected Quasar RAT
Source: Yara match File source: msgde.exe, type: SAMPLE
Source: Yara match File source: 0.0.msgde.exe.390000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1676092019.00000000006B0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2930408585.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1701589360.000000001B2B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1675739025.0000000000392000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: msgde.exe PID: 3320, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 5968, type: MEMORYSTR
Source: Yara match File source: C:\Windows\System32\SubDir\Client.exe, type: DROPPED

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: msgde.exe, type: SAMPLE Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: msgde.exe, type: SAMPLE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: msgde.exe, type: SAMPLE Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.0.msgde.exe.390000.0.unpack, type: UNPACKEDPE Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.0.msgde.exe.390000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.msgde.exe.390000.0.unpack, type: UNPACKEDPE Matched rule: Detects Quasar infostealer Author: ditekshen
Source: C:\Windows\System32\SubDir\Client.exe, type: DROPPED Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: C:\Windows\System32\SubDir\Client.exe, type: DROPPED Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: C:\Windows\System32\SubDir\Client.exe, type: DROPPED Matched rule: Detects Quasar infostealer Author: ditekshen
Creates files inside the system directory
Source: C:\Users\user\Desktop\msgde.exe File created: C:\Windows\system32\SubDir Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe File created: C:\Windows\system32\SubDir\Client.exe Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9BB07C16 3_2_00007FFD9BB07C16
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9BB0EB29 3_2_00007FFD9BB0EB29
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9BAF9271 3_2_00007FFD9BAF9271
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9BB08A0F 3_2_00007FFD9BB08A0F
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9BB0B851 3_2_00007FFD9BB0B851
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9BAFAFDD 3_2_00007FFD9BAFAFDD
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9BAF9FD0 3_2_00007FFD9BAF9FD0
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9BB0FE80 3_2_00007FFD9BB0FE80
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9BAF55D6 3_2_00007FFD9BAF55D6
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9BAF621F 3_2_00007FFD9BAF621F
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9BC12321 3_2_00007FFD9BC12321
Sample file is different than original file name gathered from version info
Source: msgde.exe, 00000000.00000002.1701589360.000000001B2B2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameClient.exe. vs msgde.exe
Source: msgde.exe, 00000000.00000000.1676092019.00000000006B0000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameClient.exe. vs msgde.exe
Source: msgde.exe Binary or memory string: OriginalFilenameClient.exe. vs msgde.exe
Uses 32bit PE files
Source: msgde.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: msgde.exe, type: SAMPLE Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: msgde.exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: msgde.exe, type: SAMPLE Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.0.msgde.exe.390000.0.unpack, type: UNPACKEDPE Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.0.msgde.exe.390000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.msgde.exe.390000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: C:\Windows\System32\SubDir\Client.exe, type: DROPPED Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: C:\Windows\System32\SubDir\Client.exe, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: C:\Windows\System32\SubDir\Client.exe, type: DROPPED Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@10/5@1/2
Source: C:\Users\user\Desktop\msgde.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msgde.exe.log Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1800:120:WilError_03
Source: C:\Windows\System32\SubDir\Client.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\59c47ccd-e59a-4ccb-933e-f1094e43684c
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2032:120:WilError_03
Source: msgde.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: msgde.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Windows\System32\SubDir\Client.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\msgde.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: msgde.exe ReversingLabs: Detection: 81%
Source: msgde.exe Virustotal: Detection: 81%
Source: msgde.exe String found in binary or memory: HasSubValue3Conflicting item/add type
Source: C:\Users\user\Desktop\msgde.exe File read: C:\Users\user\Desktop\msgde.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\msgde.exe "C:\Users\user\Desktop\msgde.exe"
Source: C:\Users\user\Desktop\msgde.exe Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "msgde" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\msgde.exe Process created: C:\Windows\System32\SubDir\Client.exe "C:\Windows\system32\SubDir\Client.exe"
Source: C:\Windows\System32\SubDir\Client.exe Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "msgde" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\SubDir\Client.exe C:\Windows\system32\SubDir\Client.exe
Source: C:\Users\user\Desktop\msgde.exe Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "msgde" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process created: C:\Windows\System32\SubDir\Client.exe "C:\Windows\system32\SubDir\Client.exe" Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "msgde" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: msgde.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: msgde.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: msgde.exe Static file information: File size 3265536 > 1048576
Source: msgde.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x31c400
Source: msgde.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9B76D2A5 pushad ; iretd 3_2_00007FFD9B76D2A6
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9BB0B851 push ss; retn FD9Bh 3_2_00007FFD9BB0C01A
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9BB0D4D8 push FD9BC222h; retn FD9Bh 3_2_00007FFD9BB0D5FA
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9BAF336E push eax; ret 3_2_00007FFD9BAF340C
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9BC12321 push edx; retf 5F20h 3_2_00007FFD9BC15A3B

Persistence and Installation Behavior
barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\msgde.exe Executable created and started: C:\Windows\system32\SubDir\Client.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\msgde.exe File created: C:\Windows\System32\SubDir\Client.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\msgde.exe File created: C:\Windows\System32\SubDir\Client.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\msgde.exe Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "msgde" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\msgde.exe File opened: C:\Users\user\Desktop\msgde.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe File opened: C:\Windows\system32\SubDir\Client.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe File opened: C:\Windows\system32\SubDir\Client.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\msgde.exe Memory allocated: 27A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Memory allocated: 1A9A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Memory allocated: F50000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Memory allocated: 1AA80000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Memory allocated: 2A50000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Memory allocated: 1AD40000 memory reserve | memory write watch Jump to behavior
Contains functionality to detect virtual machines (STR)
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9B88F1F2 str ax 3_2_00007FFD9B88F1F2
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\msgde.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\SubDir\Client.exe Window / User API: threadDelayed 6842 Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Window / User API: threadDelayed 2978 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\msgde.exe TID: 5324 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe TID: 6540 Thread sleep count: 37 > 30 Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe TID: 6540 Thread sleep time: -34126476536362649s >= -30000s Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe TID: 6640 Thread sleep count: 6842 > 30 Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe TID: 6640 Thread sleep count: 2978 > 30 Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe TID: 6252 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe TID: 2828 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\System32\SubDir\Client.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\System32\SubDir\Client.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\SubDir\Client.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\msgde.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Client.exe, 00000003.00000002.2935920893.000000001B5C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW.Eo
Source: Client.exe, 00000003.00000002.2935920893.000000001B5C4000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 00000003.00000002.2936492564.000000001B6EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Enables debug privileges
Source: C:\Users\user\Desktop\msgde.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\msgde.exe Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "msgde" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Process created: C:\Windows\System32\SubDir\Client.exe "C:\Windows\system32\SubDir\Client.exe" Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "msgde" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\msgde.exe Queries volume information: C:\Users\user\Desktop\msgde.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Queries volume information: C:\Windows\System32\SubDir\Client.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Queries volume information: C:\Windows\System32\SubDir\Client.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msgde.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Quasar RAT
Source: Yara match File source: msgde.exe, type: SAMPLE
Source: Yara match File source: 0.0.msgde.exe.390000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1676092019.00000000006B0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2930408585.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1701589360.000000001B2B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1675739025.0000000000392000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: msgde.exe PID: 3320, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 5968, type: MEMORYSTR
Source: Yara match File source: C:\Windows\System32\SubDir\Client.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected Quasar RAT
Source: Yara match File source: msgde.exe, type: SAMPLE
Source: Yara match File source: 0.0.msgde.exe.390000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1676092019.00000000006B0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2930408585.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1701589360.000000001B2B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1675739025.0000000000392000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: msgde.exe PID: 3320, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 5968, type: MEMORYSTR
Source: Yara match File source: C:\Windows\System32\SubDir\Client.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1581169 Sample: msgde.exe Startdate: 27/12/2024 Architecture: WINDOWS Score: 100 31 ipwho.is 2->31 33 edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com 2->33 35 default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com 2->35 49 Suricata IDS alerts for network traffic 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 7 other signatures 2->55 9 msgde.exe 5 2->9         started        13 Client.exe 3 2->13         started        signatures3 process4 file5 27 C:\Windows\System32\SubDir\Client.exe, PE32 9->27 dropped 29 C:\Users\user\AppData\Local\...\msgde.exe.log, CSV 9->29 dropped 57 Drops executables to the windows directory (C:\Windows) and starts them 9->57 59 Uses schtasks.exe or at.exe to add and modify task schedules 9->59 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->61 15 Client.exe 14 2 9->15         started        19 schtasks.exe 1 9->19         started        signatures6 process7 dnsIp8 37 185.228.82.21, 4782, 49730 ACCESS2ITNL Netherlands 15->37 39 ipwho.is 108.181.61.49, 443, 49732 ASN852CA Canada 15->39 41 Antivirus detection for dropped file 15->41 43 Multi AV Scanner detection for dropped file 15->43 45 Machine Learning detection for dropped file 15->45 47 2 other signatures 15->47 21 schtasks.exe 1 15->21         started        23 conhost.exe 19->23         started        signatures9 process10 process11 25 conhost.exe 21->25         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.228.82.21
 unknown Netherlands
208258 ACCESS2ITNL true
108.181.61.49
 ipwho.is Canada
852 ASN852CA false

Contacted Domains

Name IP Active
ipwho.is 108.181.61.49 true
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com 217.20.58.99 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
185.228.82.21 true
  • Avira URL Cloud: safe
 unknown
https://ipwho.is/ false
    		high