Loading ...

Play interactive tourEdit tour

Analysis Report Odeme belegesi_changed.exe

Overview

General Information

Sample Name:Odeme belegesi_changed.exe
MD5:76bb84fa044847f65cedba79e463fcd9
SHA1:2eecbf1df9509125c469cf0610670506e610b77b
SHA256:f25d34639868cf56a357cc7caa9c6658bd7fec96ec84a4207e8242f82a2624bc

Most interesting Screenshot:

Detection

GuLoader
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides threads from debuggers
Tries to detect virtualization through RDTSC time measurements
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • Odeme belegesi_changed.exe (PID: 3380 cmdline: 'C:\Users\user\Desktop\Odeme belegesi_changed.exe' MD5: 76BB84FA044847F65CEDBA79E463FCD9)
    • RegAsm.exe (PID: 612 cmdline: 'C:\Users\user\Desktop\Odeme belegesi_changed.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • conhost.exe (PID: 2520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.1257729779.00000000009B0000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    Process Memory Space: RegAsm.exe PID: 612JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5x nop then jmp 009B2661h3_2_009B2616
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6x nop then cld 3_2_009B2616
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 6x nop then cld 3_2_009B2639
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4x nop then push edi3_2_009B075F

      Source: Joe Sandbox ViewIP Address: 104.16.203.237 104.16.203.237
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_009B2D9D InternetReadFile,3_2_009B2D9D
      Source: unknownDNS traffic detected: queries for: www.mediafire.com
      Source: RegAsm.exe, 00000003.00000002.1258291158.0000000000E5B000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
      Source: RegAsm.exe, 00000003.00000002.1258291158.0000000000E5B000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
      Source: RegAsm.exe, 00000003.00000002.1258234454.0000000000E26000.00000004.00000020.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomai
      Source: RegAsm.exe, 00000003.00000002.1258291158.0000000000E5B000.00000004.00000020.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
      Source: RegAsm.exe, 00000003.00000002.1258291158.0000000000E5B000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
      Source: RegAsm.exe, 00000003.00000002.1258291158.0000000000E5B000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.sectigo.com0)
      Source: RegAsm.exe, 00000003.00000002.1258132081.0000000000DE0000.00000004.00000020.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
      Source: RegAsm.exe, 00000003.00000002.1258291158.0000000000E5B000.00000004.00000020.sdmpString found in binary or memory: https://sectigo.com/CPS0
      Source: RegAsm.exe, 00000003.00000002.1258234454.0000000000E26000.00000004.00000020.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing?utm_source=error_footer
      Source: RegAsm.exe, 00000003.00000002.1258234454.0000000000E26000.00000004.00000020.sdmpString found in binary or memory: https://www.mediafire.com/
      Source: RegAsm.exe, 00000003.00000002.1258234454.0000000000E26000.00000004.00000020.sdmpString found in binary or memory: https://www.mediafire.com/#
      Source: RegAsm.exe, 00000003.00000002.1258234454.0000000000E26000.00000004.00000020.sdmpString found in binary or memory: https://www.mediafire.com/diafire.com/geyiApZvCe4.bin/file
      Source: RegAsm.exe, 00000003.00000002.1258234454.0000000000E26000.00000004.00000020.sdmpString found in binary or memory: https://www.mediafire.com/diafire.com/geyiApZvCe4.bin/fileS
      Source: RegAsm.exe, 00000003.00000002.1258234454.0000000000E26000.00000004.00000020.sdmpString found in binary or memory: https://www.mediafire.com/diafire.com/geyiApZvCe4.bin/filet
      Source: RegAsm.exe, 00000003.00000002.1257715052.000000000097A000.00000004.00000001.sdmpString found in binary or memory: https://www.mediafire.com/file/kgwo4t43b5831fj/origin_geyiApZvCe4.b
      Source: RegAsm.exe, 00000003.00000002.1258291158.0000000000E5B000.00000004.00000020.sdmpString found in binary or memory: https://www.mediafire.com/file/kgwo4t43b5831fj/origin_geyiApZvCe4.bin/file
      Source: RegAsm.exe, 00000003.00000002.1258132081.0000000000DE0000.00000004.00000020.sdmpString found in binary or memory: https://www.mediafire.com/file/kgwo4t43b5831fj/origin_geyiApZvCe4.bin/file((
      Source: RegAsm.exe, 00000003.00000002.1258132081.0000000000DE0000.00000004.00000020.sdmpString found in binary or memory: https://www.mediafire.com/file/kgwo4t43b5831fj/origin_geyiApZvCe4.bin/file0B
      Source: RegAsm.exe, 00000003.00000002.1258234454.0000000000E26000.00000004.00000020.sdmpString found in binary or memory: https://www.mediafire.com/file/kgwo4t43b5831fj/origin_geyiApZvCe4.bin/file4
      Source: RegAsm.exe, 00000003.00000002.1258291158.0000000000E5B000.00000004.00000020.sdmpString found in binary or memory: https://www.mediafire.com/file/kgwo4t43b5831fj/origin_geyiApZvCe4.bin/file=
      Source: RegAsm.exe, 00000003.00000002.1258234454.0000000000E26000.00000004.00000020.sdmpString found in binary or memory: https://www.mediafire.com/file/kgwo4t43b5831fj/origin_geyiApZvCe4.bin/file?
      Source: RegAsm.exe, 00000003.00000002.1258291158.0000000000E5B000.00000004.00000020.sdmpString found in binary or memory: https://www.mediafire.com/file/kgwo4t43b5831fj/origin_geyiApZvCe4.bin/filea
      Source: RegAsm.exe, 00000003.00000002.1258291158.0000000000E5B000.00000004.00000020.sdmpString found in binary or memory: https://www.mediafire.com/file/kgwo4t43b5831fj/origin_geyiApZvCe4.bin/filee
      Source: RegAsm.exe, 00000003.00000002.1258234454.0000000000E26000.00000004.00000020.sdmpString found in binary or memory: https://www.mediafire.com/file/kgwo4t43b5831fj/origin_geyiApZvCe4.bin/filep
      Source: RegAsm.exe, 00000003.00000002.1258234454.0000000000E26000.00000004.00000020.sdmpString found in binary or memory: https://www.mediafire.com/file/kgwo4t43b5831fj/origin_geyiApZvCe4.bin/filez
      Source: RegAsm.exe, 00000003.00000002.1258234454.0000000000E26000.00000004.00000020.sdmpString found in binary or memory: https://www.mediafire.com/geyiApZvCe4.bin/file
      Source: RegAsm.exe, 00000003.00000002.1258234454.0000000000E26000.00000004.00000020.sdmpString found in binary or memory: https://www.mediafire.com/geyiApZvCe4.bin/fileform
      Source: RegAsm.exe, 00000003.00000002.1258234454.0000000000E26000.00000004.00000020.sdmpString found in binary or memory: https://www.mediafire.com/geyiApZvCe4.bin/filen
      Source: RegAsm.exe, 00000003.00000002.1258234454.0000000000E26000.00000004.00000020.sdmpString found in binary or memory: https://www.mediafire.com/geyiApZvCe4.bin/fileq
      Source: RegAsm.exe, 00000003.00000002.1258234454.0000000000E26000.00000004.00000020.sdmpString found in binary or memory: https://www.mediafire.com/ile/kgwo4t43b5831fj/origin_geyiApZvCe4.bin/file
      Source: RegAsm.exe, 00000003.00000002.1258234454.0000000000E26000.00000004.00000020.sdmpString found in binary or memory: https://www.mediafire.com/ile/kgwo4t43b5831fj/origin_geyiApZvCe4.bin/fileft
      Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747

      Source: Odeme belegesi_changed.exe, 00000000.00000002.1091198666.00000000006FA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeCode function: 0_2_006C2D9D NtResumeThread,0_2_006C2D9D
      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeCode function: 0_2_006C1058 NtWriteVirtualMemory,0_2_006C1058
      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeCode function: 0_2_006C2DBD NtResumeThread,0_2_006C2DBD
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_009B29D0 NtProtectVirtualMemory,3_2_009B29D0
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_009B0150 EnumWindows,NtSetInformationThread,3_2_009B0150
      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeCode function: 0_2_004014600_2_00401460
      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeCode function: 0_2_00406AE50_2_00406AE5
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_009B01503_2_009B0150
      Source: Odeme belegesi_changed.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Odeme belegesi_changed.exe, 00000000.00000002.1091141326.00000000006B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Odeme belegesi_changed.exe
      Source: Odeme belegesi_changed.exe, 00000000.00000000.831466045.0000000000411000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameemble.exe vs Odeme belegesi_changed.exe
      Source: Odeme belegesi_changed.exeBinary or memory string: OriginalFilenameemble.exe vs Odeme belegesi_changed.exe
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
      Source: classification engineClassification label: mal68.troj.evad.winEXE@4/0@1/1
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2520:120:WilError_01
      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeFile created: C:\Users\user\AppData\Local\Temp\~DFF2EAF0B6B1229A84.TMPJump to behavior
      Source: Odeme belegesi_changed.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Odeme belegesi_changed.exe 'C:\Users\user\Desktop\Odeme belegesi_changed.exe'
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Odeme belegesi_changed.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Odeme belegesi_changed.exe' Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: 00000003.00000002.1257729779.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 612, type: MEMORY
      Source: Odeme belegesi_changed.exeStatic PE information: real checksum: 0x1b0f4 should be: 0x1b0f5
      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeCode function: 0_2_00405471 push FFFFFFB7h; ret 0_2_0040548D
      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeCode function: 0_2_004074D6 push 24AE3F33h; ret 0_2_00407555
      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeCode function: 0_2_004074F6 push 24AE3F33h; ret 0_2_00407555
      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeCode function: 0_2_004060FE push edx; ret 0_2_004060FF
      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeCode function: 0_2_0040548E push FFFFFFB7h; ret 0_2_0040548D
      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeCode function: 0_2_00404D4A push ebp; retf 0_2_00404D4B
      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeCode function: 0_2_004085BE push ss; iretd 0_2_004085C5
      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeCode function: 0_2_0040764A push eax; iretd 0_2_00407659
      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeCode function: 0_2_00408277 pushfd ; iretd 0_2_00408279
      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeCode function: 0_2_00407226 push 01E20130h; iretd 0_2_00407235
      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeCode function: 0_2_00407AD1 push 00CAB4D7h; iretd 0_2_00407ADD
      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeCode function: 0_2_00407AEF push es; iretd 0_2_00407AFD
      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeCode function: 0_2_00404B57 push 8B79C001h; iretd 0_2_00404B5C
      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeCode function: 0_2_006C1446 push FFFFFF8Ah; retf 0_2_006C144D
      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeCode function: 0_2_006C3042 push esp; iretd 0_2_006C305C
      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeCode function: 0_2_006C1426 push FFFFFF8Ah; retf 0_2_006C144D
      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeCode function: 0_2_006C2977 push ebp; ret 0_2_006C2987
      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeCode function: 0_2_006C0D95 push ebx; retn 0006h0_2_006C0E15
      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeCode function: 0_2_006C2A2B push edx; retf 0_2_006C2A2C
      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeCode function: 0_2_006C2A11 push eax; retf 0_2_006C2A28
      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeCode function: 0_2_006C26E8 push ebx; retf 0_2_006C26E9
      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeCode function: 0_2_006C0310 push ebx; retn 0006h0_2_006C0311
      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeCode function: 0_2_006C0B89 push ebx; retn 0006h0_2_006C0B91
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_009B2FC2 push esp; iretd 3_2_009B305C
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_009B305D push esp; iretd 3_2_009B305C
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_009B2674 push esp; iretd 3_2_009B305C

      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_009B132C 3_2_009B132C
      Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_3-2104
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeRDTSC instruction interceptor: First address: 00000000006C1331 second address: 00000000006C1383 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BD0A9E43Eh 0x00000004 fnop 0x00000006 lfence 0x00000009 shl edx, 20h 0x0000000c or edx, eax 0x0000000e mov esi, edx 0x00000010 pushad 0x00000011 mov eax, 00000001h 0x00000016 fnop 0x00000018 cpuid 0x0000001a bt ecx, 1Fh 0x0000001e fnop 0x00000020 jc 00007F1BD0A9E412h 0x00000022 popad 0x00000023 lfence 0x00000026 rdtsc
      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeRDTSC instruction interceptor: First address: 00000000006C1383 second address: 00000000006C1331 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F1BD0B5BB4Ch 0x00000011 lfence 0x00000014 rdtsc
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 00000000009B1331 second address: 00000000009B1383 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BD0A9E43Eh 0x00000004 fnop 0x00000006 lfence 0x00000009 shl edx, 20h 0x0000000c or edx, eax 0x0000000e mov esi, edx 0x00000010 pushad 0x00000011 mov eax, 00000001h 0x00000016 fnop 0x00000018 cpuid 0x0000001a bt ecx, 1Fh 0x0000001e fnop 0x00000020 jc 00007F1BD0A9E412h 0x00000022 popad 0x00000023 lfence 0x00000026 rdtsc
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 00000000009B1383 second address: 00000000009B1331 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F1BD0B5BB4Ch 0x00000011 ret 0x00000012 add edi, edx 0x00000014 pop ecx 0x00000015 dec ecx 0x00000016 cmp ecx, 00000000h 0x00000019 jne 00007F1BD0B5BBA3h 0x0000001b push ecx 0x0000001c call 00007F1BD0B5BBCFh 0x00000021 fnop 0x00000023 lfence 0x00000026 rdtsc
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_009B1335 rdtsc 3_2_009B1335
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: threadDelayed 760Jump to behavior
      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeAPI coverage: 1.4 %
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4204Thread sleep time: -7600000s >= -30000sJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: RegAsm.exe, 00000003.00000002.1258234454.0000000000E26000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
      Source: Odeme belegesi_changed.exe, 00000000.00000002.1091198666.00000000006FA000.00000004.00000020.sdmp, RegAsm.exe, 00000003.00000002.1257729779.00000000009B0000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: RegAsm.exe, 00000003.00000002.1258132081.0000000000DE0000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWPy

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_009B0150 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,000000003_2_009B0150
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_009B1335 rdtsc 3_2_009B1335
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_009B2297 mov eax, dword ptr fs:[00000030h]3_2_009B2297
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_009B128D mov eax, dword ptr fs:[00000030h]3_2_009B128D
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_009B240D mov eax, dword ptr fs:[00000030h]3_2_009B240D
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_009B2735 mov eax, dword ptr fs:[00000030h]3_2_009B2735
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_009B0A35 mov eax, dword ptr fs:[00000030h]3_2_009B0A35
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_009B075F mov eax, dword ptr fs:[00000030h]3_2_009B075F
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_009B0B53 mov eax, dword ptr fs:[00000030h]3_2_009B0B53

      Source: C:\Users\user\Desktop\Odeme belegesi_changed.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Odeme belegesi_changed.exe' Jump to behavior
      Source: RegAsm.exe, 00000003.00000002.1258384268.0000000001270000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: RegAsm.exe, 00000003.00000002.1258384268.0000000001270000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: RegAsm.exe, 00000003.00000002.1258384268.0000000001270000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
      Source: RegAsm.exe, 00000003.00000002.1258384268.0000000001270000.00000002.00000001.sdmpBinary or memory string: Progmanlock

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsExecution through API1Winlogon Helper DLLProcess Injection12Virtualization/Sandbox Evasion11Input Capture1Virtualization/Sandbox Evasion11Remote File Copy1Input Capture1Data Encrypted1Standard Cryptographic Protocol12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Replication Through Removable MediaGraphical User Interface1Port MonitorsAccessibility FeaturesProcess Injection12Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumRemote File Copy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionObfuscated Files or Information2Input CaptureApplication Window Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingDLL Side-Loading1Credentials in FilesSecurity Software Discovery411Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol2SIM Card SwapPremium SMS Toll Fraud
      Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasqueradingAccount ManipulationRemote System Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceDLL Search Order HijackingBrute ForceSystem Information Discovery21Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.