Windows Analysis Report
Bill of Lading.exe

Overview

General Information

Sample name: Bill of Lading.exe
Analysis ID: 1501090
MD5: 4a66f7adeee42701433453d52eef4fe3
SHA1: dccf14f7ba680630193ba6afaee8010db77c5fc3
SHA256: d5b1bfd640980218ef11f409fa2b966c84c402e93eb47c3bce412096bec5284f
Tags: AsyncRATexe
Infos:

Detection

XWorm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected XWorm
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: xwram1.duckdns.org Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000000.00000002.1438152349.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Xworm {"C2 url": ["xwram1.duckdns.org"], "Port": "58345", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\mmgfreeway.exe ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Roaming\mmgfreeway.exe Virustotal: Detection: 72% Perma Link
Multi AV Scanner detection for submitted file
Source: Bill of Lading.exe ReversingLabs: Detection: 65%
Source: Bill of Lading.exe Virustotal: Detection: 72% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\mmgfreeway.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Bill of Lading.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 2.2.InstallUtil.exe.150000.0.unpack String decryptor: xwram1.duckdns.org
Source: 2.2.InstallUtil.exe.150000.0.unpack String decryptor: 58345
Source: 2.2.InstallUtil.exe.150000.0.unpack String decryptor: <123456789>
Source: 2.2.InstallUtil.exe.150000.0.unpack String decryptor: <Xwormmm>
Source: 2.2.InstallUtil.exe.150000.0.unpack String decryptor: PC
Source: 2.2.InstallUtil.exe.150000.0.unpack String decryptor: USB.exe
Uses 32bit PE files
Source: Bill of Lading.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Bill of Lading.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: O.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.00000000007F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: @zo.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000808000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Osymbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000828000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Bill of Lading.exe, 00000000.00000002.1446605944.0000000003731000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1448721171.0000000005250000.00000004.08000000.00040000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1438152349.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1446605944.00000000037AD000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000808000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Bill of Lading.exe, 00000000.00000002.1446605944.0000000003731000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1448721171.0000000005250000.00000004.08000000.00040000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1438152349.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1446605944.00000000037AD000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000828000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: ?zoC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000828000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdbP% source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: HPno8C:\Windows\InstallUtil.pdbWH source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000808000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000828000.00000004.00000020.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 4x nop then jmp 051B252Dh 0_2_051B2440
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_051B1468
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_051B1460
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 4x nop then jmp 051B252Dh 0_2_051B24F3
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 4x nop then jmp 051B252Dh 0_2_051B26AB
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 4x nop then jmp 051F5D61h 0_2_051F5D00
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 4x nop then jmp 051F5D61h 0_2_051F5CF0
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 4x nop then jmp 051FD400h 0_2_051FD348
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 4x nop then jmp 051FD400h 0_2_051FD340
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 4x nop then jmp 051F5D61h 0_2_051F5ECF
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_052DDA10

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: xwram1.duckdns.org
Source: Bill of Lading.exe, 00000000.00000002.1438152349.0000000002731000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1438152349.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: Bill of Lading.exe, 00000000.00000002.1446605944.0000000003911000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Bill of Lading.exe, 00000000.00000002.1438152349.0000000002731000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.Bill of Lading.exe.2dbc814.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.2.InstallUtil.exe.150000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.Bill of Lading.exe.2dbc814.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000002.2672720208.0000000000152000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1438152349.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Bill of Lading.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_051FFD50 NtResumeThread, 0_2_051FFD50
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_051FE820 NtProtectVirtualMemory, 0_2_051FE820
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_051FFD49 NtResumeThread, 0_2_051FFD49
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_051FE81A NtProtectVirtualMemory, 0_2_051FE81A
Detected potential crypto function
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_00BD9D68 0_2_00BD9D68
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_00BD62F8 0_2_00BD62F8
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_00BD6308 0_2_00BD6308
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_00BD58B8 0_2_00BD58B8
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_00BD58A9 0_2_00BD58A9
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_050D18E2 0_2_050D18E2
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_050D1C17 0_2_050D1C17
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_050D2AF8 0_2_050D2AF8
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_050E7AF8 0_2_050E7AF8
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_050E0006 0_2_050E0006
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_050E0040 0_2_050E0040
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_050E806F 0_2_050E806F
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_050E6678 0_2_050E6678
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_050E6688 0_2_050E6688
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_050E129F 0_2_050E129F
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_050E12B0 0_2_050E12B0
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_050E7AEA 0_2_050E7AEA
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_051B2440 0_2_051B2440
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_051BA558 0_2_051BA558
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_051BA549 0_2_051BA549
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_051B24F3 0_2_051B24F3
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_051B26AB 0_2_051B26AB
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_051F79B0 0_2_051F79B0
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_051FBA28 0_2_051FBA28
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_051F7D97 0_2_051F7D97
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_051F79A0 0_2_051F79A0
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_051FB9D0 0_2_051FB9D0
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_051FCF88 0_2_051FCF88
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_051F8FD9 0_2_051F8FD9
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_051F23F8 0_2_051F23F8
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_051F8FE8 0_2_051F8FE8
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_051FBA18 0_2_051FBA18
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_052B0006 0_2_052B0006
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_052B0040 0_2_052B0040
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_052D0006 0_2_052D0006
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_052D0040 0_2_052D0040
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_052DF648 0_2_052DF648
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_05550040 0_2_05550040
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_05550006 0_2_05550006
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_0556D220 0_2_0556D220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_009D0EE0 2_2_009D0EE0
One or more processes crash
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 912
Sample file is different than original file name gathered from version info
Source: Bill of Lading.exe, 00000000.00000002.1446605944.0000000003911000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Bill of Lading.exe
Source: Bill of Lading.exe, 00000000.00000002.1446605944.0000000003731000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Bill of Lading.exe
Source: Bill of Lading.exe, 00000000.00000002.1448721171.0000000005250000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Bill of Lading.exe
Source: Bill of Lading.exe, 00000000.00000002.1438152349.0000000002731000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs Bill of Lading.exe
Source: Bill of Lading.exe, 00000000.00000002.1449018047.00000000055D2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename70filecrypt.exe8 vs Bill of Lading.exe
Source: Bill of Lading.exe, 00000000.00000002.1438152349.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefiletocrypt.exe4 vs Bill of Lading.exe
Source: Bill of Lading.exe, 00000000.00000002.1437324458.00000000006AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Bill of Lading.exe
Source: Bill of Lading.exe, 00000000.00000002.1447539886.0000000004BF0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameQijjyabe.dll" vs Bill of Lading.exe
Source: Bill of Lading.exe, 00000000.00000002.1438152349.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Bill of Lading.exe
Source: Bill of Lading.exe, 00000000.00000000.1427214065.0000000000208000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename70filecrypt.exe8 vs Bill of Lading.exe
Source: Bill of Lading.exe, 00000000.00000002.1446605944.00000000037AD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Bill of Lading.exe
Source: Bill of Lading.exe, 00000000.00000002.1446605944.00000000037AD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename70filecrypt.exe8 vs Bill of Lading.exe
Source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Bill of Lading.exe
Source: Bill of Lading.exe Binary or memory string: OriginalFilename70filecrypt.exe8 vs Bill of Lading.exe
Uses 32bit PE files
Source: Bill of Lading.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.Bill of Lading.exe.2dbc814.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.2.InstallUtil.exe.150000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.Bill of Lading.exe.2dbc814.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000002.2672720208.0000000000152000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1438152349.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Bill of Lading.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: mmgfreeway.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: classification engine Classification label: mal100.troj.evad.winEXE@4/2@0/0
Source: C:\Users\user\Desktop\Bill of Lading.exe File created: C:\Users\user\AppData\Roaming\mmgfreeway.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6108:64:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: \Sessions\1\BaseNamedObjects\iEuKzrF7KOcf8iUC
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\3c6fa989-34e0-4741-9c63-3147f026ea2a Jump to behavior
Source: Bill of Lading.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Bill of Lading.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Bill of Lading.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Bill of Lading.exe ReversingLabs: Detection: 65%
Source: Bill of Lading.exe Virustotal: Detection: 72%
Source: C:\Users\user\Desktop\Bill of Lading.exe File read: C:\Users\user\Desktop\Bill of Lading.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Bill of Lading.exe "C:\Users\user\Desktop\Bill of Lading.exe"
Source: C:\Users\user\Desktop\Bill of Lading.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 912
Source: C:\Users\user\Desktop\Bill of Lading.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Bill of Lading.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Bill of Lading.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: O.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.00000000007F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: @zo.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000808000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Osymbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000828000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Bill of Lading.exe, 00000000.00000002.1446605944.0000000003731000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1448721171.0000000005250000.00000004.08000000.00040000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1438152349.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1446605944.00000000037AD000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000808000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Bill of Lading.exe, 00000000.00000002.1446605944.0000000003731000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1448721171.0000000005250000.00000004.08000000.00040000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1438152349.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1446605944.00000000037AD000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000828000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: ?zoC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000828000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdbP% source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: HPno8C:\Windows\InstallUtil.pdbWH source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000808000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000828000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Bill of Lading.exe, Pobwultsfy.cs .Net Code: Atghiyyrxmt System.AppDomain.Load(byte[])
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Yara detected Costura Assembly Loader
Source: Yara match File source: 0.2.Bill of Lading.exe.50f0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1448146740.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1438152349.0000000002731000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Bill of Lading.exe PID: 2080, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_00BD56A8 push ss; ret 0_2_00BD5702
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_05082EA7 push esp; retf 0_2_05082EA8
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_051BDC66 push edx; retf 0_2_051BDCAD
Source: C:\Users\user\Desktop\Bill of Lading.exe Code function: 0_2_051BDCFD push edi; iretd 0_2_051BDD05
Source: Bill of Lading.exe Static PE information: section name: .text entropy: 7.916001790909424
Source: mmgfreeway.exe.0.dr Static PE information: section name: .text entropy: 7.916001790909424
Source: 0.2.Bill of Lading.exe.4bf0000.6.raw.unpack, JUTfQANoJH8bQj3LXjk.cs High entropy of concatenated method names: 'Ls5NPVJpxq', 'tAx4HJDc91PxEjiFKyw', 'J7NqPAD0gUZWL2dejci', 'ofollVDj9AYnZIOTl6y', 'fhAaFCDXuQfTche8IAx', 'A3D0nEDuIBIdvNTZWu4', 'AyoaSADhyZm8WdtqTuV'
Source: 0.2.Bill of Lading.exe.4bf0000.6.raw.unpack, P5YM9AGvh3to0BuV5X9.cs High entropy of concatenated method names: 'RtlInitUnicodeString', 'LdrLoadDll', 'RtlZeroMemory', 'NtQueryInformationProcess', 'OP2G1GjBoN', 'NtProtectVirtualMemory', 'NNjdnuSPQWnbU8taRc7', 'E8r9e6SZhLbYv6WW1qA', 'VsQjBsSoVleDmwpI4is', 'hXlawlSBdu4LXtYKVoD'
Drops PE files
Source: C:\Users\user\Desktop\Bill of Lading.exe File created: C:\Users\user\AppData\Roaming\mmgfreeway.exe Jump to dropped file
Source: C:\Users\user\Desktop\Bill of Lading.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mmgfreeway Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mmgfreeway Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Bill of Lading.exe PID: 2080, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Bill of Lading.exe, 00000000.00000002.1438152349.0000000002731000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Bill of Lading.exe Memory allocated: B90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Memory allocated: 2730000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Memory allocated: 2530000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 9D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 23C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 43C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: Bill of Lading.exe, 00000000.00000002.1438152349.0000000002731000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: Bill of Lading.exe, 00000000.00000002.1438152349.0000000002731000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: C:\Users\user\Desktop\Bill of Lading.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\Bill of Lading.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Bill of Lading.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 150000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Bill of Lading.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 150000 Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 152000 Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 15C000 Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 15E000 Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 255008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Bill of Lading.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Bill of Lading.exe Queries volume information: C:\Users\user\Desktop\Bill of Lading.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill of Lading.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected XWorm
Source: Yara match File source: 0.2.Bill of Lading.exe.2dbc814.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.InstallUtil.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Bill of Lading.exe.2dbc814.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2672720208.0000000000152000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1438152349.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Bill of Lading.exe PID: 2080, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 1036, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected XWorm
Source: Yara match File source: 0.2.Bill of Lading.exe.2dbc814.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.InstallUtil.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Bill of Lading.exe.2dbc814.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2672720208.0000000000152000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1438152349.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Bill of Lading.exe PID: 2080, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 1036, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1501090 Sample: Bill of Lading.exe Startdate: 29/08/2024 Architecture: WINDOWS Score: 100 19 Found malware configuration 2->19 21 Malicious sample detected (through community Yara rule) 2->21 23 Antivirus detection for URL or domain 2->23 25 12 other signatures 2->25 7 Bill of Lading.exe 1 4 2->7         started        process3 file4 15 C:\Users\user\AppData\...\mmgfreeway.exe, PE32 7->15 dropped 17 C:\Users\...\mmgfreeway.exe:Zone.Identifier, ASCII 7->17 dropped 27 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->27 29 Writes to foreign memory regions 7->29 31 Injects a PE file into a foreign processes 7->31 11 InstallUtil.exe 7->11         started        signatures5 process6 process7 13 WerFault.exe 4 11->13         started       
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
xwram1.duckdns.org true
  • 3%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown