Windows Analysis Report
QuickTextPaste.exe

Overview

General Information

Sample name: QuickTextPaste.exe
Analysis ID: 1562564
MD5: 1fdc72504c644ec1fcc368c24f12d94d
SHA1: fb77c3f53398a7781de54ae0596fed19ed7524a4
SHA256: 07fdc5476b30c54df6fbb7991f855d6c9ee1d15e000e4966c06f8f2f3951b381
Tags: Compilazioneprotetticopyrightexeuser-JAMESWT_MHT
Infos:

Detection

XWorm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Drops large PE files
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to simulate keystroke presses
Contains long sleeps (>= 3 min)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: QuickTextPaste.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\Pictures\DesktopInfo\Bin\DesktopInfo.exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen2
Found malware configuration
Source: 00000003.00000002.3864228386.00000000070C1000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Xworm {"C2 url": ["45.32.146.65"], "Port": 6868, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
Multi AV Scanner detection for submitted file
Source: QuickTextPaste.exe ReversingLabs: Detection: 60%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Sample uses string decryption to hide its real strings
Source: 3.2.csc.exe.5000000.0.unpack String decryptor: 45.32.146.65
Source: 3.2.csc.exe.5000000.0.unpack String decryptor: 6868
Source: 3.2.csc.exe.5000000.0.unpack String decryptor: <123456789>
Source: 3.2.csc.exe.5000000.0.unpack String decryptor: <Xwormmm>
Source: 3.2.csc.exe.5000000.0.unpack String decryptor: XWorm V5.6
Source: 3.2.csc.exe.5000000.0.unpack String decryptor: USB.exe
Source: 3.2.csc.exe.5000000.0.unpack String decryptor: %AppData%
Source: 3.2.csc.exe.5000000.0.unpack String decryptor: XClient.exe

Compliance
barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\QuickTextPaste.exe Unpacked PE file: 0.2.QuickTextPaste.exe.2180000.2.unpack
Uses 32bit PE files
Source: QuickTextPaste.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Binary string: StrongNameFreeBufferStrongNameTokenFromPublicKeyStrongNameErrorInfo.PDBdiasymreader.dllDllGetClassObject%X%X%X%X%X%X%X%X%X%X%X.TMP0x%016I64xCSCalink.dll with IAlink3 source: csc.exe, 00000003.00000003.1625309005.00000000080E6000.00000004.00000800.00020000.00000000.sdmp, XClient.exe.3.dr
Source: Binary string: csc.pdb source: csc.exe, 00000003.00000003.1625309005.00000000080E6000.00000004.00000800.00020000.00000000.sdmp, XClient.exe.3.dr
Source: Binary string: csc.pdbF source: csc.exe, 00000003.00000003.1625309005.00000000080E6000.00000004.00000800.00020000.00000000.sdmp, XClient.exe.3.dr

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.9:49709 -> 45.32.146.65:6868
Source: Network traffic Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.9:49716 -> 45.32.146.65:6868
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 45.32.146.65
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.9:49709 -> 45.32.146.65:6868
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: unknown TCP traffic detected without corresponding DNS query: 45.32.146.65
Source: csc.exe, 00000003.00000002.3864228386.00000000070C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\Desktop\QuickTextPaste.exe Code function: 0_2_00426601 SetWindowsHookExW 0000000D,0041ED8B,00000000,00000000 0_2_00426601
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\QuickTextPaste.exe Code function: 0_2_00433F0D OpenClipboard,RegisterClipboardFormatW,GetClipboardData,GlobalLock,CloseClipboard, 0_2_00433F0D
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\QuickTextPaste.exe Code function: 0_2_00433F0D OpenClipboard,RegisterClipboardFormatW,GetClipboardData,GlobalLock,CloseClipboard, 0_2_00433F0D
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\QuickTextPaste.exe Code function: 0_2_004324DC IsWindow,GetKeyboardState,GetKeyboardState,keybd_event,keybd_event,SetForegroundWindow,GetKeyboardState,keybd_event, 0_2_004324DC

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.csc.exe.5000000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.QuickTextPaste.exe.49eb26.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.QuickTextPaste.exe.2180000.2.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.QuickTextPaste.exe.49eb26.1.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.QuickTextPaste.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1626571461.0000000002182000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000002.3849434803.0000000005002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1626085788.000000000049E000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Drops large PE files
Source: C:\Users\user\Desktop\QuickTextPaste.exe File dump: DesktopInfo.exe.0.dr 979567349 Jump to dropped file
Abnormal high CPU Usage
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\QuickTextPaste.exe Code function: 0_2_00406EBE 0_2_00406EBE
Source: C:\Users\user\Desktop\QuickTextPaste.exe Code function: 0_2_0040691A 0_2_0040691A
Source: C:\Users\user\Desktop\QuickTextPaste.exe Code function: 0_2_00402A35 0_2_00402A35
Source: C:\Users\user\Desktop\QuickTextPaste.exe Code function: 0_2_0040EB7D 0_2_0040EB7D
Source: C:\Users\user\Desktop\QuickTextPaste.exe Code function: 0_2_0041E397 0_2_0041E397
Source: C:\Users\user\Desktop\QuickTextPaste.exe Code function: 0_2_0040EBBA 0_2_0040EBBA
Source: C:\Users\user\Desktop\QuickTextPaste.exe Code function: 0_2_0040747A 0_2_0040747A
Source: C:\Users\user\Desktop\QuickTextPaste.exe Code function: 0_2_00402CBF 0_2_00402CBF
Source: C:\Users\user\Desktop\QuickTextPaste.exe Code function: 0_2_0040759C 0_2_0040759C
Source: C:\Users\user\Desktop\QuickTextPaste.exe Code function: 0_2_00402D9D 0_2_00402D9D
Source: C:\Users\user\Desktop\QuickTextPaste.exe Code function: 0_2_0040EE30 0_2_0040EE30
Source: C:\Users\user\Desktop\QuickTextPaste.exe Code function: 0_2_0041EF19 0_2_0041EF19
Source: C:\Users\user\Desktop\QuickTextPaste.exe Code function: 0_2_0040EF2D 0_2_0040EF2D
Source: C:\Users\user\Desktop\QuickTextPaste.exe Code function: 0_2_004067E0 0_2_004067E0
Source: C:\Users\user\Desktop\QuickTextPaste.exe Code function: 0_2_00402FF2 0_2_00402FF2
Source: C:\Users\user\Desktop\QuickTextPaste.exe Code function: 0_2_00402FF8 0_2_00402FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Code function: 3_2_0573B7F8 3_2_0573B7F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Code function: 3_2_05738FD0 3_2_05738FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Code function: 3_2_05734138 3_2_05734138
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Code function: 3_2_05731030 3_2_05731030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Code function: 3_2_057398A0 3_2_057398A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Code function: 3_2_05733B40 3_2_05733B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Code function: 3_2_05738C88 3_2_05738C88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Code function: 3_2_05731610 3_2_05731610
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\QuickTextPaste.exe Code function: String function: 00437C80 appears 38 times
Sample file is different than original file name gathered from version info
Source: QuickTextPaste.exe Binary or memory string: OriginalFilename vs QuickTextPaste.exe
Source: QuickTextPaste.exe, 00000000.00000002.1626571461.0000000002182000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameXClient.exe4 vs QuickTextPaste.exe
Source: QuickTextPaste.exe, 00000000.00000002.1626085788.000000000049E000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameXClient.exe4 vs QuickTextPaste.exe
Uses 32bit PE files
Source: QuickTextPaste.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 3.2.csc.exe.5000000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.QuickTextPaste.exe.49eb26.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.QuickTextPaste.exe.2180000.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.QuickTextPaste.exe.49eb26.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.QuickTextPaste.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1626571461.0000000002182000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000002.3849434803.0000000005002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1626085788.000000000049E000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.QuickTextPaste.exe.49eb26.1.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.QuickTextPaste.exe.49eb26.1.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.QuickTextPaste.exe.49eb26.1.raw.unpack, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/3@0/1
Source: C:\Users\user\Desktop\QuickTextPaste.exe Code function: 0_2_00426601 GetModuleHandleW,SetWindowsHookExW,GetLastError,FormatMessageW,MessageBoxW,LocalFree, 0_2_00426601
Source: C:\Users\user\Desktop\QuickTextPaste.exe File created: C:\Users\user\Pictures\DesktopInfo Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Mutant created: \Sessions\1\BaseNamedObjects\2IZ7P3Po0yEtvO09
Source: QuickTextPaste.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\QuickTextPaste.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: QuickTextPaste.exe ReversingLabs: Detection: 60%
Source: QuickTextPaste.exe String found in binary or memory: <!--StartFrag
Source: QuickTextPaste.exe String found in binary or memory: <!--StartFragment-->
Source: QuickTextPaste.exe String found in binary or memory: EndSelectionStartSelection<!--EndFragEndFragment<!--StartFragStartFragmentEndHTML%08u<html>StartHTML<!--EndFragment--></body>
Source: QuickTextPaste.exe String found in binary or memory: <!--StartFragment-->HTML Format
Source: C:\Users\user\Desktop\QuickTextPaste.exe File read: C:\Users\user\Desktop\QuickTextPaste.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\QuickTextPaste.exe "C:\Users\user\Desktop\QuickTextPaste.exe"
Source: C:\Users\user\Desktop\QuickTextPaste.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\Desktop\QuickTextPaste.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" Jump to behavior
Source: C:\Users\user\Desktop\QuickTextPaste.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\QuickTextPaste.exe Section loaded: k7rn7l32.dll Jump to behavior
Source: C:\Users\user\Desktop\QuickTextPaste.exe Section loaded: ntd3ll.dll Jump to behavior
Source: C:\Users\user\Desktop\QuickTextPaste.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\QuickTextPaste.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32 Jump to behavior
Source: XClient.lnk.3.dr LNK file: ..\..\..\..\..\XClient.exe
Source: Binary string: StrongNameFreeBufferStrongNameTokenFromPublicKeyStrongNameErrorInfo.PDBdiasymreader.dllDllGetClassObject%X%X%X%X%X%X%X%X%X%X%X.TMP0x%016I64xCSCalink.dll with IAlink3 source: csc.exe, 00000003.00000003.1625309005.00000000080E6000.00000004.00000800.00020000.00000000.sdmp, XClient.exe.3.dr
Source: Binary string: csc.pdb source: csc.exe, 00000003.00000003.1625309005.00000000080E6000.00000004.00000800.00020000.00000000.sdmp, XClient.exe.3.dr
Source: Binary string: csc.pdbF source: csc.exe, 00000003.00000003.1625309005.00000000080E6000.00000004.00000800.00020000.00000000.sdmp, XClient.exe.3.dr

Data Obfuscation
barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\QuickTextPaste.exe Unpacked PE file: 0.2.QuickTextPaste.exe.2180000.2.unpack
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.QuickTextPaste.exe.49eb26.1.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.QuickTextPaste.exe.49eb26.1.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
.NET source code contains potential unpacker
Source: 0.2.QuickTextPaste.exe.49eb26.1.raw.unpack, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.QuickTextPaste.exe.49eb26.1.raw.unpack, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.QuickTextPaste.exe.49eb26.1.raw.unpack, Messages.cs .Net Code: Memory
Compiles C# or VB.Net code
Source: C:\Users\user\Desktop\QuickTextPaste.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\Desktop\QuickTextPaste.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\QuickTextPaste.exe Code function: 0_2_00434350 LoadLibraryW,GetProcAddress, 0_2_00434350
PE file contains an invalid checksum
Source: QuickTextPaste.exe Static PE information: real checksum: 0x844df should be: 0x10233d
PE file contains sections with non-standard names
Source: XClient.exe.3.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\QuickTextPaste.exe Code function: 0_2_00437C80 push eax; ret 0_2_00437C9E
Source: C:\Users\user\Desktop\QuickTextPaste.exe Code function: 0_2_00437CA0 push eax; ret 0_2_00437CCE
Source: QuickTextPaste.exe Static PE information: section name: .text entropy: 6.817168827886
Source: DesktopInfo.exe.0.dr Static PE information: section name: .text entropy: 6.817168827886
Drops PE files
Source: C:\Users\user\Desktop\QuickTextPaste.exe File created: C:\Users\user\Pictures\DesktopInfo\Bin\DesktopInfo.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Roaming\XClient.exe Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk Jump to behavior
Source: C:\Users\user\Desktop\QuickTextPaste.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DesktopInfo Jump to behavior
Source: C:\Users\user\Desktop\QuickTextPaste.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DesktopInfo Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Memory allocated: 5730000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Memory allocated: 70C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Memory allocated: 6DF0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Window / User API: threadDelayed 1433 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Window / User API: threadDelayed 8314 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\QuickTextPaste.exe Dropped PE file which has not been started: C:\Users\user\Pictures\DesktopInfo\Bin\DesktopInfo.exe Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\QuickTextPaste.exe Evasive API call chain: GetLocalTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\QuickTextPaste.exe API coverage: 0.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7772 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7784 Thread sleep count: 1433 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7784 Thread sleep count: 8314 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: csc.exe, 00000003.00000002.3853497945.00000000052F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\QuickTextPaste.exe Code function: 0_2_00434350 LoadLibraryW,GetProcAddress, 0_2_00434350
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process token adjusted: Debug Jump to behavior
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Users\user\Desktop\QuickTextPaste.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\QuickTextPaste.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 5000000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\QuickTextPaste.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 5000000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\QuickTextPaste.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 5000000 Jump to behavior
Source: C:\Users\user\Desktop\QuickTextPaste.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4C82008 Jump to behavior
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\QuickTextPaste.exe Code function: 0_2_004324DC IsWindow,GetKeyboardState,GetKeyboardState,keybd_event,keybd_event,SetForegroundWindow,GetKeyboardState,keybd_event, 0_2_004324DC
Source: QuickTextPaste.exe Binary or memory string: Shell_TrayWnd
Source: QuickTextPaste.exe, DesktopInfo.exe.0.dr Binary or memory string: WidthBytes: %d bmWidth:%d bmBitsPixel:%d hb:%dNo-HBitmap<br>0};%d,UCHAR img_data[]={int ys=%d;int xs=%d;No HBITMAPShell_TrayWndTrayNotifyWndC:\shell32SetMenuInfoNULL
Source: QuickTextPaste.exe, DesktopInfo.exe.0.dr Binary or memory string: GDtGDXGDHGDWorkerWSysListView32SHELLDLL_DefViewProgram ManagerUniformResourceLocatorToolbarWindow32SHAutoCompleteSHLWAPI.DLLBackInternet Explorer_Server
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\QuickTextPaste.exe Code function: GetLocaleInfoW, 0_2_0043271F
Source: C:\Users\user\Desktop\QuickTextPaste.exe Code function: GetLocaleInfoW, 0_2_004327AB
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QuickTextPaste.exe Code function: 0_2_00421838 __EH_prolog,GetLocalTime, 0_2_00421838
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: csc.exe, 00000003.00000002.3865330103.000000000A4B0000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3853497945.00000000053A5000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000003.00000002.3853497945.00000000052F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected XWorm
Source: Yara match File source: 3.2.csc.exe.5000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QuickTextPaste.exe.49eb26.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QuickTextPaste.exe.2180000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QuickTextPaste.exe.49eb26.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QuickTextPaste.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1626571461.0000000002182000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3849434803.0000000005002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1626085788.000000000049E000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: QuickTextPaste.exe PID: 7320, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csc.exe PID: 7588, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected XWorm
Source: Yara match File source: 3.2.csc.exe.5000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QuickTextPaste.exe.49eb26.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QuickTextPaste.exe.2180000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QuickTextPaste.exe.49eb26.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QuickTextPaste.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1626571461.0000000002182000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3849434803.0000000005002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1626085788.000000000049E000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: QuickTextPaste.exe PID: 7320, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csc.exe PID: 7588, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1562564 Sample: QuickTextPaste.exe Startdate: 25/11/2024 Architecture: WINDOWS Score: 100 21 Suricata IDS alerts for network traffic 2->21 23 Found malware configuration 2->23 25 Malicious sample detected (through community Yara rule) 2->25 27 9 other signatures 2->27 6 QuickTextPaste.exe 1 3 2->6         started        process3 file4 15 C:\Users\user\Pictures\...\DesktopInfo.exe, PE32 6->15 dropped 29 Detected unpacking (creates a PE file in dynamic memory) 6->29 31 Contains functionality to register a low level keyboard hook 6->31 33 Writes to foreign memory regions 6->33 35 3 other signatures 6->35 10 csc.exe 5 6->10         started        signatures5 process6 dnsIp7 19 45.32.146.65, 49709, 49710, 49712 AS-CHOOPAUS United States 10->19 17 C:\Users\user\AppData\Roaming\XClient.exe, PE32 10->17 dropped 37 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->37 file8 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.32.146.65
 unknown United States
20473 AS-CHOOPAUS true

Contacted URLs

Name Malicious Antivirus Detection Reputation
45.32.146.65 true
  • Avira URL Cloud: safe
 unknown