Windows Analysis Report
QuickTextPaste (2).exe

Overview

General Information

Sample name:	QuickTextPaste (2).exe
Analysis ID:	1562565
MD5:	4bc6dc45d87f46354cf96b0d60d849e5
SHA1:	2af2591cf4fa6a2625f99012c24377378143010d
SHA256:	e58e9f7cce5acebd12f2fbe7a8f4da092982291f0cf553066e515359ec71af81
Tags:	Compilazioneprotetticopyrightexeuser-JAMESWT_MHT
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (creates a PE file in dynamic memory)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

AI detected suspicious sample

Allocates memory in foreign processes

Contains functionality to register a low level keyboard hook

Drops large PE files

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Tries to harvest and steal Bitcoin Wallet information

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to simulate keystroke presses

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Stores large binary data to the registry

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: QuickTextPaste (2).exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\Pictures\DesktopInfo\Bin\DesktopInfo.exe

Avira: detection malicious, Label: TR/Crypt.XPACK.Gen2

Multi AV Scanner detection for submitted file

Source: QuickTextPaste (2).exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: QuickTextPaste (2).exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Unpacked PE file: 0.2.QuickTextPaste (2).exe.730000.2.unpack

Uses 32bit PE files

Source: QuickTextPaste (2).exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 64.95.10.19:56001 -> 192.168.2.12:49719

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.12:49719 -> 64.95.10.19:56001

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: BRAHMAN-NYUS BRAHMAN-NYUS

Source: csc.exe, 00000004.00000003.2796297037.0000000004B70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: csc.exe, 00000004.00000003.2796297037.0000000004B70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Code function: 0_2_00426601 SetWindowsHookExW 0000000D,0041ED8B,00000000,00000000

0_2_00426601

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Code function: 0_2_00433F0D OpenClipboard,RegisterClipboardFormatW,GetClipboardData,GlobalLock,CloseClipboard,

0_2_00433F0D

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Code function: 0_2_00433F0D OpenClipboard,RegisterClipboardFormatW,GetClipboardData,GlobalLock,CloseClipboard,

0_2_00433F0D

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Code function: 0_2_004324DC IsWindow,GetKeyboardState,GetKeyboardState,keybd_event,keybd_event,SetForegroundWindow,GetKeyboardState,keybd_event,

0_2_004324DC

System Summary

.NET source code contains very large array initializations

Source: 0.2.QuickTextPaste (2).exe.49eb26.1.raw.unpack, RegistryRefExpression.cs

Large array initialization: ManageRule: array initializer size 298256

Drops large PE files

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

File dump: DesktopInfo.exe.0.dr 979567349

Jump to dropped file

Abnormal high CPU Usage

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_00416231 NtQueryDefaultLocale,lstrlenW,GetDlgItem,	0_2_00416231
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_00416F82 NtQueryDefaultLocale,	0_2_00416F82
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_00416087 NtQueryDefaultLocale,	0_2_00416087
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_0041616C NtQueryDefaultLocale,	0_2_0041616C
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_00416473 NtQueryDefaultLocale,	0_2_00416473
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_004157C3 NtQueryDefaultLocale,	0_2_004157C3

Detected potential crypto function

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_00416231	0_2_00416231
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_00416F82	0_2_00416F82
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_0040287C	0_2_0040287C
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_00407801	0_2_00407801
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_004028C2	0_2_004028C2
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_004020C4	0_2_004020C4
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_004028CD	0_2_004028CD
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_004020D3	0_2_004020D3
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_004020F9	0_2_004020F9
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_0040288F	0_2_0040288F
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_0041E95A	0_2_0041E95A
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_0040F165	0_2_0040F165
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_0040497C	0_2_0040497C
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_0051D18E	0_2_0051D18E
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_00404A72	0_2_00404A72
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_004072C9	0_2_004072C9
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_0051DB4C	0_2_0051DB4C
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_0040EBC7	0_2_0040EBC7
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_0041E397	0_2_0041E397
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_0040745E	0_2_0040745E
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_004074DD	0_2_004074DD
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_00402DAB	0_2_00402DAB
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_0041EE59	0_2_0041EE59
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_00407639	0_2_00407639
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_004026E3	0_2_004026E3
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_0041E6EC	0_2_0041E6EC
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_004046F0	0_2_004046F0
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_004026F5	0_2_004026F5
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_00402682	0_2_00402682
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_004046B0	0_2_004046B0
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_00406EBE	0_2_00406EBE
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_00401F52	0_2_00401F52
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_004157C3	0_2_004157C3
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_004027A7	0_2_004027A7
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_004027B2	0_2_004027B2

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Code function: String function: 00437C80 appears 39 times

Sample file is different than original file name gathered from version info

Source: QuickTextPaste (2).exe	Binary or memory string: OriginalFilename vs QuickTextPaste (2).exe
Source: QuickTextPaste (2).exe, 00000000.00000002.2541169472.000000000078A000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCjmjchusqsd.exe" vs QuickTextPaste (2).exe
Source: QuickTextPaste (2).exe	Binary or memory string: OriginalFilenameQuickTextPaste.exe( vs QuickTextPaste (2).exe

Uses 32bit PE files

Source: QuickTextPaste (2).exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.2.QuickTextPaste (2).exe.49eb26.1.raw.unpack, RegistryRefExpression.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.QuickTextPaste (2).exe.49eb26.1.raw.unpack, ConnectionSerializerModel.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.QuickTextPaste (2).exe.49eb26.1.raw.unpack, ConnectionSerializerModel.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.QuickTextPaste (2).exe.49eb26.1.raw.unpack, ConnectionSerializerModel.cs

Task registration methods: 'RegisterRule'

Source: classification engine

Classification label: mal100.spyw.evad.winEXE@3/1@0/1

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Code function: 0_2_00426601 GetModuleHandleW,SetWindowsHookExW,GetLastError,FormatMessageW,MessageBoxW,LocalFree,

0_2_00426601

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

File created: C:\Users\user\Pictures\DesktopInfo

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Mutant created: \Sessions\1\BaseNamedObjects\86e9217bf3f8

Source: QuickTextPaste (2).exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: QuickTextPaste (2).exe

ReversingLabs: Detection: 68%

Source: QuickTextPaste (2).exe	String found in binary or memory: <!--StartFrag
Source: QuickTextPaste (2).exe	String found in binary or memory: <!--StartFragment-->
Source: QuickTextPaste (2).exe	String found in binary or memory: EndSelectionStartSelection<!--EndFragEndFragment<!--StartFragStartFragmentEndHTML%08u<html>StartHTML<!--EndFragment--></body>
Source: QuickTextPaste (2).exe	String found in binary or memory: <!--StartFragment-->HTML Format

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

File read: C:\Users\user\Desktop\QuickTextPaste (2).exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\QuickTextPaste (2).exe "C:\Users\user\Desktop\QuickTextPaste (2).exe"
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Section loaded: k7rn7l32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Section loaded: ntd3ll.dll	Jump to behavior
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: QuickTextPaste (2).exe

Static file information: File size 1363968 > 1048576

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Unpacked PE file: 0.2.QuickTextPaste (2).exe.730000.2.unpack

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.QuickTextPaste (2).exe.49eb26.1.raw.unpack, ConnectionSerializerModel.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Compiles C# or VB.Net code

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"			Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Code function: 0_2_00434350 LoadLibraryW,GetProcAddress,

0_2_00434350

PE file contains an invalid checksum

Source: QuickTextPaste (2).exe

Static PE information: real checksum: 0x844df should be: 0x1515bf

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_00437C80 push eax; ret		0_2_00437C9E
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_00437CA0 push eax; ret		0_2_00437CCE

Source: QuickTextPaste (2).exe	Static PE information: section name: .text entropy: 6.867077590981686
Source: DesktopInfo.exe.0.dr	Static PE information: section name: .text entropy: 6.867077590981686

Drops PE files

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

File created: C:\Users\user\Pictures\DesktopInfo\Bin\DesktopInfo.exe

Jump to dropped file

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DesktopInfo			Jump to behavior
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DesktopInfo			Jump to behavior

Stores large binary data to the registry

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\15036547B1E75A4B687ED1F301A71B42 4555936c9bfd67fc4c92d88fec2bb6b0

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 67C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 6AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 8AB0000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Window / User API: threadDelayed 3243			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Window / User API: threadDelayed 6548			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Dropped PE file which has not been started: C:\Users\user\Pictures\DesktopInfo\Bin\DesktopInfo.exe

Jump to dropped file

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Evasive API call chain: GetLocalTime,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

API coverage: 0.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 5248

Thread sleep time: -31359464925306218s >= -30000s

Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: csc.exe, 00000004.00000003.2796297037.0000000004B70000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

API call chain: ExitProcess graph end node

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Code function: 0_2_00434350 LoadLibraryW,GetProcAddress,

0_2_00434350

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Process token adjusted: Debug

Jump to behavior

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4A40000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4A40000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4A40000			Jump to behavior
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 476E008			Jump to behavior

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Code function: 0_2_004324DC IsWindow,GetKeyboardState,GetKeyboardState,keybd_event,keybd_event,SetForegroundWindow,GetKeyboardState,keybd_event,

0_2_004324DC

Source: QuickTextPaste (2).exe	Binary or memory string: Shell_TrayWnd
Source: QuickTextPaste (2).exe, DesktopInfo.exe.0.dr	Binary or memory string: WidthBytes: %d bmWidth:%d bmBitsPixel:%d hb:%dNo-HBitmap<br>0};%d,UCHAR img_data[]={int ys=%d;int xs=%d;No HBITMAPShell_TrayWndTrayNotifyWndC:\shell32SetMenuInfoNULL
Source: QuickTextPaste (2).exe, DesktopInfo.exe.0.dr	Binary or memory string: GDtGDXGDHGDWorkerWSysListView32SHELLDLL_DefViewProgram ManagerUniformResourceLocatorToolbarWindow32SHAutoCompleteSHLWAPI.DLLBackInternet Explorer_Server

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: GetLocaleInfoW,		0_2_0043271F
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: GetLocaleInfoW,		0_2_004327AB

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Code function: 0_2_00421838 __EH_prolog,GetLocalTime,

0_2_00421838

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: csc.exe, 00000004.00000003.2796297037.0000000004B70000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
64.95.10.19	unknown	United States		31982	BRAHMAN-NYUS	true

AV Detection

Antivirus / Scanner detection for submitted sample

Source: QuickTextPaste (2).exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\Pictures\DesktopInfo\Bin\DesktopInfo.exe

Avira: detection malicious, Label: TR/Crypt.XPACK.Gen2

Multi AV Scanner detection for submitted file

Source: QuickTextPaste (2).exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: QuickTextPaste (2).exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Unpacked PE file: 0.2.QuickTextPaste (2).exe.730000.2.unpack

Uses 32bit PE files

Source: QuickTextPaste (2).exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 64.95.10.19:56001 -> 192.168.2.12:49719

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.12:49719 -> 64.95.10.19:56001

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: BRAHMAN-NYUS BRAHMAN-NYUS

Source: csc.exe, 00000004.00000003.2796297037.0000000004B70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: csc.exe, 00000004.00000003.2796297037.0000000004B70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Code function: 0_2_00426601 SetWindowsHookExW 0000000D,0041ED8B,00000000,00000000

0_2_00426601

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Code function: 0_2_00433F0D OpenClipboard,RegisterClipboardFormatW,GetClipboardData,GlobalLock,CloseClipboard,

0_2_00433F0D

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Code function: 0_2_00433F0D OpenClipboard,RegisterClipboardFormatW,GetClipboardData,GlobalLock,CloseClipboard,

0_2_00433F0D

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Code function: 0_2_004324DC IsWindow,GetKeyboardState,GetKeyboardState,keybd_event,keybd_event,SetForegroundWindow,GetKeyboardState,keybd_event,

0_2_004324DC

System Summary

.NET source code contains very large array initializations

Source: 0.2.QuickTextPaste (2).exe.49eb26.1.raw.unpack, RegistryRefExpression.cs

Large array initialization: ManageRule: array initializer size 298256

Drops large PE files

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

File dump: DesktopInfo.exe.0.dr 979567349

Jump to dropped file

Abnormal high CPU Usage

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_00416231 NtQueryDefaultLocale,lstrlenW,GetDlgItem,	0_2_00416231
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_00416F82 NtQueryDefaultLocale,	0_2_00416F82
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_00416087 NtQueryDefaultLocale,	0_2_00416087
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_0041616C NtQueryDefaultLocale,	0_2_0041616C
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_00416473 NtQueryDefaultLocale,	0_2_00416473
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_004157C3 NtQueryDefaultLocale,	0_2_004157C3

Detected potential crypto function

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_00416231	0_2_00416231
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_00416F82	0_2_00416F82
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_0040287C	0_2_0040287C
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_00407801	0_2_00407801
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_004028C2	0_2_004028C2
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_004020C4	0_2_004020C4
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_004028CD	0_2_004028CD
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_004020D3	0_2_004020D3
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_004020F9	0_2_004020F9
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_0040288F	0_2_0040288F
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_0041E95A	0_2_0041E95A
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_0040F165	0_2_0040F165
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_0040497C	0_2_0040497C
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_0051D18E	0_2_0051D18E
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_00404A72	0_2_00404A72
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_004072C9	0_2_004072C9
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_0051DB4C	0_2_0051DB4C
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_0040EBC7	0_2_0040EBC7
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_0041E397	0_2_0041E397
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_0040745E	0_2_0040745E
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_004074DD	0_2_004074DD
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_00402DAB	0_2_00402DAB
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_0041EE59	0_2_0041EE59
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_00407639	0_2_00407639
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_004026E3	0_2_004026E3
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_0041E6EC	0_2_0041E6EC
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_004046F0	0_2_004046F0
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_004026F5	0_2_004026F5
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_00402682	0_2_00402682
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_004046B0	0_2_004046B0
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_00406EBE	0_2_00406EBE
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_00401F52	0_2_00401F52
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_004157C3	0_2_004157C3
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_004027A7	0_2_004027A7
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_004027B2	0_2_004027B2

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Code function: String function: 00437C80 appears 39 times

Sample file is different than original file name gathered from version info

Source: QuickTextPaste (2).exe	Binary or memory string: OriginalFilename vs QuickTextPaste (2).exe
Source: QuickTextPaste (2).exe, 00000000.00000002.2541169472.000000000078A000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCjmjchusqsd.exe" vs QuickTextPaste (2).exe
Source: QuickTextPaste (2).exe	Binary or memory string: OriginalFilenameQuickTextPaste.exe( vs QuickTextPaste (2).exe

Uses 32bit PE files

Source: QuickTextPaste (2).exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.2.QuickTextPaste (2).exe.49eb26.1.raw.unpack, RegistryRefExpression.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.QuickTextPaste (2).exe.49eb26.1.raw.unpack, ConnectionSerializerModel.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.QuickTextPaste (2).exe.49eb26.1.raw.unpack, ConnectionSerializerModel.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.QuickTextPaste (2).exe.49eb26.1.raw.unpack, ConnectionSerializerModel.cs

Task registration methods: 'RegisterRule'

Source: classification engine

Classification label: mal100.spyw.evad.winEXE@3/1@0/1

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Code function: 0_2_00426601 GetModuleHandleW,SetWindowsHookExW,GetLastError,FormatMessageW,MessageBoxW,LocalFree,

0_2_00426601

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

File created: C:\Users\user\Pictures\DesktopInfo

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Mutant created: \Sessions\1\BaseNamedObjects\86e9217bf3f8

Source: QuickTextPaste (2).exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: QuickTextPaste (2).exe

ReversingLabs: Detection: 68%

Source: QuickTextPaste (2).exe	String found in binary or memory: <!--StartFrag
Source: QuickTextPaste (2).exe	String found in binary or memory: <!--StartFragment-->
Source: QuickTextPaste (2).exe	String found in binary or memory: EndSelectionStartSelection<!--EndFragEndFragment<!--StartFragStartFragmentEndHTML%08u<html>StartHTML<!--EndFragment--></body>
Source: QuickTextPaste (2).exe	String found in binary or memory: <!--StartFragment-->HTML Format

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

File read: C:\Users\user\Desktop\QuickTextPaste (2).exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\QuickTextPaste (2).exe "C:\Users\user\Desktop\QuickTextPaste (2).exe"
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Section loaded: k7rn7l32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Section loaded: ntd3ll.dll	Jump to behavior
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: QuickTextPaste (2).exe

Static file information: File size 1363968 > 1048576

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Unpacked PE file: 0.2.QuickTextPaste (2).exe.730000.2.unpack

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.QuickTextPaste (2).exe.49eb26.1.raw.unpack, ConnectionSerializerModel.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Compiles C# or VB.Net code

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"			Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Code function: 0_2_00434350 LoadLibraryW,GetProcAddress,

0_2_00434350

PE file contains an invalid checksum

Source: QuickTextPaste (2).exe

Static PE information: real checksum: 0x844df should be: 0x1515bf

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_00437C80 push eax; ret		0_2_00437C9E
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: 0_2_00437CA0 push eax; ret		0_2_00437CCE

Source: QuickTextPaste (2).exe	Static PE information: section name: .text entropy: 6.867077590981686
Source: DesktopInfo.exe.0.dr	Static PE information: section name: .text entropy: 6.867077590981686

Drops PE files

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

File created: C:\Users\user\Pictures\DesktopInfo\Bin\DesktopInfo.exe

Jump to dropped file

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DesktopInfo			Jump to behavior
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DesktopInfo			Jump to behavior

Stores large binary data to the registry

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\15036547B1E75A4B687ED1F301A71B42 4555936c9bfd67fc4c92d88fec2bb6b0

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 67C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 6AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 8AB0000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Window / User API: threadDelayed 3243			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Window / User API: threadDelayed 6548			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Dropped PE file which has not been started: C:\Users\user\Pictures\DesktopInfo\Bin\DesktopInfo.exe

Jump to dropped file

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Evasive API call chain: GetLocalTime,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

API coverage: 0.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 5248

Thread sleep time: -31359464925306218s >= -30000s

Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: csc.exe, 00000004.00000003.2796297037.0000000004B70000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

API call chain: ExitProcess graph end node

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Code function: 0_2_00434350 LoadLibraryW,GetProcAddress,

0_2_00434350

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Process token adjusted: Debug

Jump to behavior

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4A40000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4A40000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4A40000			Jump to behavior
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 476E008			Jump to behavior

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Code function: 0_2_004324DC IsWindow,GetKeyboardState,GetKeyboardState,keybd_event,keybd_event,SetForegroundWindow,GetKeyboardState,keybd_event,

0_2_004324DC

Source: QuickTextPaste (2).exe	Binary or memory string: Shell_TrayWnd
Source: QuickTextPaste (2).exe, DesktopInfo.exe.0.dr	Binary or memory string: WidthBytes: %d bmWidth:%d bmBitsPixel:%d hb:%dNo-HBitmap<br>0};%d,UCHAR img_data[]={int ys=%d;int xs=%d;No HBITMAPShell_TrayWndTrayNotifyWndC:\shell32SetMenuInfoNULL
Source: QuickTextPaste (2).exe, DesktopInfo.exe.0.dr	Binary or memory string: GDtGDXGDHGDWorkerWSysListView32SHELLDLL_DefViewProgram ManagerUniformResourceLocatorToolbarWindow32SHAutoCompleteSHLWAPI.DLLBackInternet Explorer_Server

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: GetLocaleInfoW,		0_2_0043271F
Source: C:\Users\user\Desktop\QuickTextPaste (2).exe	Code function: GetLocaleInfoW,		0_2_004327AB

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\QuickTextPaste (2).exe

Code function: 0_2_00421838 __EH_prolog,GetLocalTime,

0_2_00421838

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: csc.exe, 00000004.00000003.2796297037.0000000004B70000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt

Jump to behavior

ID:	1562565
Product:	CloudBasic
Start time:	18:02:08
Start date:	25.11.2024
Sample:	QuickTextPaste (2).exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	4bc6dc45d87f46354cf96b0d60d849e5
SHA1:	2af2591cf4fa6a2625f99012c24377378143010d
SHA256:	e58e9f7cce5acebd12f2fbe7a8f4da092982291f0cf553066e515359ec71af81
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
QuickTextPaste (2).exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report QuickTextPaste (2).exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report
QuickTextPaste (2).exe