Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
word.exe

Overview

General Information

Sample name:word.exe
Analysis ID:1497467
MD5:0ea4553778672b58bbd711fb039552c8
SHA1:8487f359428f19444696ce610ed81c6b4dd56a6a
SHA256:910ae266eb8177aa46e2a2c77029e57b30d7aaa819c3b8451514bf1b1ae26f8d
Infos:

Detection

GuLoader
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected GuLoader
AI detected suspicious sample
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
PE file contains an invalid checksum
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • word.exe (PID: 6308 cmdline: "C:\Users\user\Desktop\word.exe" MD5: 0EA4553778672B58BBD711FB039552C8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\spherosome\preadoption\preembodiment\Unending.dieJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    C:\Users\user\AppData\Local\Temp\nsbD910.tmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.4568994288.0000000003000000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
        00000000.00000002.4568696784.00000000027FA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
          00000000.00000002.4568994288.0000000006D40000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.9% probability
            Machine Learning detection for sample
            Source: word.exeJoe Sandbox ML: detected
            Source: word.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: word.exeStatic PE information: certificate valid
            Source: word.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: C:\Users\user\Desktop\word.exeCode function: 0_2_00405FF5 FindFirstFileA,FindClose,0_2_00405FF5
            Source: C:\Users\user\Desktop\word.exeCode function: 0_2_004055B1 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004055B1
            Source: C:\Users\user\Desktop\word.exeCode function: 0_2_00402645 FindFirstFileA,0_2_00402645
            Source: word.exeString found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
            Source: word.exeString found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0
            Source: word.exeString found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
            Source: word.exeString found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
            Source: word.exeString found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
            Source: word.exeString found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
            Source: word.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
            Source: word.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: word.exeString found in binary or memory: http://ocsps.ssl.com0
            Source: word.exeString found in binary or memory: http://ocsps.ssl.com0?
            Source: word.exeString found in binary or memory: http://ocsps.ssl.com0_
            Source: word.exeString found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
            Source: word.exeString found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
            Source: word.exeString found in binary or memory: https://www.ssl.com/repository0
            Source: C:\Users\user\Desktop\word.exeCode function: 0_2_0040511A GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040511A
            Source: C:\Users\user\Desktop\word.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\word.exeCode function: 0_2_00403217 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_00403217
            Source: C:\Users\user\Desktop\word.exeFile created: C:\Windows\resources\0809Jump to behavior
            Source: C:\Users\user\Desktop\word.exeCode function: 0_2_004049590_2_00404959
            Source: C:\Users\user\Desktop\word.exeCode function: 0_2_004062CB0_2_004062CB
            Source: word.exe, 00000000.00000000.2108364899.0000000000447000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenametrichinization.exe4 vs word.exe
            Source: word.exeBinary or memory string: OriginalFilenametrichinization.exe4 vs word.exe
            Source: word.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: classification engineClassification label: mal68.troj.evad.winEXE@1/9@0/0
            Source: C:\Users\user\Desktop\word.exeCode function: 0_2_0040442A GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_0040442A
            Source: C:\Users\user\Desktop\word.exeCode function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,0_2_00402036
            Source: C:\Users\user\Desktop\word.exeFile created: C:\Users\user\spherosomeJump to behavior
            Source: C:\Users\user\Desktop\word.exeFile created: C:\Users\user\AppData\Local\Temp\nsbD90F.tmpJump to behavior
            Source: word.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\word.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\word.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\word.exeFile read: C:\Users\user\Desktop\word.exeJump to behavior
            Source: C:\Users\user\Desktop\word.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\word.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\word.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\word.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\word.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\word.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\word.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\word.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\word.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\word.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\word.exeFile written: C:\Users\user\AppData\Local\Temp\Setup.iniJump to behavior
            Source: word.exeStatic PE information: certificate valid
            Source: word.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: 00000000.00000002.4568994288.0000000006D40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4568994288.0000000003000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4568696784.00000000027FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\spherosome\preadoption\preembodiment\Unending.die, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nsbD910.tmp, type: DROPPED
            Source: C:\Users\user\Desktop\word.exeCode function: 0_2_0040601C GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_0040601C
            Source: System.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x1014f
            Source: word.exeStatic PE information: real checksum: 0xb3966 should be: 0xb47c4
            Source: C:\Users\user\Desktop\word.exeCode function: 0_2_10002D30 push eax; ret 0_2_10002D5E
            Source: C:\Users\user\Desktop\word.exeFile created: C:\Users\user\AppData\Local\Temp\nsmDB24.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\Desktop\word.exeRDTSC instruction interceptor: First address: 71C5171 second address: 71C5171 instructions: 0x00000000 rdtsc 0x00000002 cmp dx, C9B0h 0x00000007 cmp ax, cx 0x0000000a cmp ebx, ecx 0x0000000c jc 00007FCC747EDA8Ah 0x0000000e cmp dx, bx 0x00000011 test cx, dx 0x00000014 inc ebp 0x00000015 test edx, ebx 0x00000017 inc ebx 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\word.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsmDB24.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\word.exeCode function: 0_2_00405FF5 FindFirstFileA,FindClose,0_2_00405FF5
            Source: C:\Users\user\Desktop\word.exeCode function: 0_2_004055B1 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004055B1
            Source: C:\Users\user\Desktop\word.exeCode function: 0_2_00402645 FindFirstFileA,0_2_00402645
            Source: C:\Users\user\Desktop\word.exeAPI call chain: ExitProcess graph end nodegraph_0-4275
            Source: C:\Users\user\Desktop\word.exeAPI call chain: ExitProcess graph end nodegraph_0-4438
            Source: C:\Users\user\Desktop\word.exeCode function: 0_2_0040601C GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_0040601C
            Source: C:\Users\user\Desktop\word.exeCode function: 0_2_00405D13 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405D13

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Native API            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		11
            Masquerading            		OS Credential Dumping1
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
            DLL Side-Loading            		LSASS Memory3
            File and Directory Discovery            		Remote Desktop Protocol1
            Clipboard Data            		Junk DataExfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            Obfuscated Files or Information            		Security Account Manager13
            System Information Discovery            		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.