Windows Analysis Report
ugslmd.exe

Overview

General Information

Sample name: ugslmd.exe
Analysis ID: 1432144
MD5: 551ed08a9076a98b16ce6dd72c993209
SHA1: 7f6e01bbbfe0caa479cb9feee9cec092fd4fde9d
SHA256: b3507a576c4b7861f343a95f00e177c0aaeb44fac3400dd054fe8c0aeeeddccd
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality to dynamically determine API calls
Detected potential crypto function
Entry point lies outside standard sections
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: ugslmd.exe Virustotal: Detection: 18% Perma Link
Uses 32bit PE files
Source: ugslmd.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\ugslmd.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00408064 0_2_00408064
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_0040807B 0_2_0040807B
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00407039 0_2_00407039
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00407D5C 0_2_00407D5C
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00408911 0_2_00408911
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00403D15 0_2_00403D15
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_0040891E 0_2_0040891E
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00403D25 0_2_00403D25
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_0040652E 0_2_0040652E
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00406539 0_2_00406539
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_004051CC 0_2_004051CC
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00402D97 0_2_00402D97
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00402DAE 0_2_00402DAE
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_004051B4 0_2_004051B4
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00405645 0_2_00405645
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00405601 0_2_00405601
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00407213 0_2_00407213
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_0040721E 0_2_0040721E
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00404221 0_2_00404221
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00404234 0_2_00404234
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_004092CB 0_2_004092CB
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00409AA9 0_2_00409AA9
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_004092BC 0_2_004092BC
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00408F6C 0_2_00408F6C
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00408F7A 0_2_00408F7A
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_0040330A 0_2_0040330A
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00409F0B 0_2_00409F0B
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00409F1A 0_2_00409F1A
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_004047B3 0_2_004047B3
Uses 32bit PE files
Source: ugslmd.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal48.winEXE@2/1@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6516:120:WilError_03
Source: C:\Users\user\Desktop\ugslmd.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ugslmd.exe Virustotal: Detection: 18%
Source: unknown Process created: C:\Users\user\Desktop\ugslmd.exe "C:\Users\user\Desktop\ugslmd.exe"
Source: C:\Users\user\Desktop\ugslmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ugslmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ugslmd.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\ugslmd.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\ugslmd.exe Section loaded: icmp.dll Jump to behavior
Source: C:\Users\user\Desktop\ugslmd.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ugslmd.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_0040101A memset,memset,memset,_umask,_getcwd,GetVersion,_chdir,sprintf,_mkdir,LoadLibraryA,GetProcAddress,sprintf,sprintf,_access,sprintf,_chdir,sprintf,_mkdir,_mkdir,sprintf,_mkdir,_chdir,sprintf,_mkdir,sprintf,_mkdir,FreeLibrary,getenv,sprintf,sprintf,_access,sprintf,_chdir,sprintf,_mkdir,_mkdir,_chdir,sprintf,_mkdir,sprintf,_chdir,sprintf,_mkdir,sprintf,_mkdir,_chdir,_umask,strlen,memcpy,strcpy, 0_2_0040101A
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .data11
PE file contains sections with non-standard names
Source: ugslmd.exe Static PE information: section name: .textidx
Source: ugslmd.exe Static PE information: section name: CONST
Source: ugslmd.exe Static PE information: section name: .data10
Source: ugslmd.exe Static PE information: section name: .data11
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00684C76 push 64709177h; mov dword ptr [esp], ebp 0_2_00683239
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00684C76 pushfd ; mov dword ptr [esp], ebp 0_2_00683735
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00684C76 pushfd ; mov dword ptr [esp], edi 0_2_00683739
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00684C76 push dword ptr [esp+48h]; retn 004Ch 0_2_00685340
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00684041 push dword ptr [esp+38h]; retn 003Ch 0_2_00684060
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00401C3A push dword ptr [esp+38h]; retn 003Ch 0_2_00401C59
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_0040283E push dword ptr [esp+14h]; mov dword ptr [esp], 3A50C060h 0_2_0040284F
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_004018C9 push 27BA4E00h; mov dword ptr [esp], ebx 0_2_004018DF
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_004018C9 push 27BA4E00h; mov dword ptr [esp], ebx 0_2_004018DF
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00401CEB push 64709177h; mov dword ptr [esp], ebp 0_2_00401CF0
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_004018C9 push 27BA4E00h; mov dword ptr [esp], ebx 0_2_004018DF
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_004028F6 push 3278574Ah; mov dword ptr [esp], ecx 0_2_004028FB
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00402946 push dword ptr [esp+38h]; retn 003Ch 0_2_005E08D5
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_005E0156 push dword ptr [esp+08h]; retn 000Ch 0_2_005E016C
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_005E0563 pushad ; mov dword ptr [esp], 9A1F551Ah 0_2_005E0585
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_0040190F pushfd ; mov dword ptr [esp], ebx 0_2_00401917
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_0040190F push ecx; mov dword ptr [esp], ecx 0_2_0040191B
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00402119 push dword ptr [esp+34h]; retn 0038h 0_2_00402128
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00402183 push 314BF859h; mov dword ptr [esp], ebx 0_2_00402196
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00402183 pushfd ; mov dword ptr [esp], ecx 0_2_0040219A
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_004025A9 push ecx; mov dword ptr [esp], 025AC96Ch 0_2_004025F3
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00402641 push dword ptr [esp]; mov dword ptr [esp], esi 0_2_00402659
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00402648 push dword ptr [esp]; mov dword ptr [esp], esi 0_2_00402659
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00401E31 pushfd ; mov dword ptr [esp], 6E2C6620h 0_2_005E005D
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_004026FD push dword ptr [esp]; mov dword ptr [esp], esi 0_2_00402723
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00683ABF push dword ptr [esp+34h]; retn 0038h 0_2_00683ACE
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00680377 push dword ptr [esp+2Ch]; retn 0038h 0_2_00680E5B
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00401B2D pushfd ; mov dword ptr [esp], esi 0_2_00401B46
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00401B2D push 747377BDh; mov dword ptr [esp], ebp 0_2_00401B4E
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00401EDE push 2B9D4FAFh; mov dword ptr [esp], ebx 0_2_005E1338
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00401EDE push 6886B23Ah; mov dword ptr [esp], ecx 0_2_005E1340
Source: ugslmd.exe Static PE information: section name: .data11 entropy: 7.9892958796289655
Source: C:\Users\user\Desktop\ugslmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ugslmd.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: ugslmd.exe, 00000000.00000002.1618992451.000000000088E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_0040101A memset,memset,memset,_umask,_getcwd,GetVersion,_chdir,sprintf,_mkdir,LoadLibraryA,GetProcAddress,sprintf,sprintf,_access,sprintf,_chdir,sprintf,_mkdir,_mkdir,sprintf,_mkdir,_chdir,sprintf,_mkdir,sprintf,_mkdir,FreeLibrary,getenv,sprintf,sprintf,_access,sprintf,_chdir,sprintf,_mkdir,_mkdir,_chdir,sprintf,_mkdir,sprintf,_chdir,sprintf,_mkdir,sprintf,_mkdir,_chdir,_umask,strlen,memcpy,strcpy, 0_2_0040101A
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\ugslmd.exe Code function: 0_2_00401000 GetVersion, 0_2_00401000
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1432144 Sample: ugslmd.exe Startdate: 26/04/2024 Architecture: WINDOWS Score: 48 10 Multi AV Scanner detection for submitted file 2->10 6 ugslmd.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       
No contacted IP infos