Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.KillProc2.11384.22300.6845

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.KillProc2.11384.22300.6845 (renamed file extension from 6845 to exe)
Analysis ID:273326
MD5:3bc3ab41cc7c7d2d30fd785e897beb84
SHA1:d2db0de380be7f53dfc8c47c9d67efc6978a2104
SHA256:6a07e270c189e9059526fc2570c7e4039f1140115e2f8544bba2b6f5923ac2ce

Most interesting Screenshot:

Detection

GuLoader
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Tries to detect Any.run
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sleep loop found (likely to delay execution)
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.487910368.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    Process Memory Space: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe PID: 5100JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
      Process Memory Space: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe PID: 5100JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
        Process Memory Space: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe PID: 2980JoeSecurity_GenericDropperYara detected Generic DropperJoe Security
          Process Memory Space: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe PID: 2980JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
            Click to see the 1 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_005687FB InternetReadFile,2_2_005687FB
            Source: unknownDNS traffic detected: queries for: onedrive.live.com
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000002.00000002.488443957.0000000000A90000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeString found in binary or memory: http://go.micr
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000002.00000002.488443957.0000000000A90000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digi
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000002.00000002.488443957.0000000000A90000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000002.00000002.488443957.0000000000A90000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000002.00000002.488443957.0000000000A90000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000002.00000003.256460163.0000000000A6F000.00000004.00000001.sdmpString found in binary or memory: https://6j8tvg.db.files.1drv.com/
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000002.00000002.488443957.0000000000A90000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000002.00000003.486951861.0000000000A88000.00000004.00000001.sdmpString found in binary or memory: https://6j8tvg.db.files.1drv.com/y4mwlpeXgFg6g0ELQcPoq3Oj1zvUy3gAHUG_IQ4ck9A05d4cxJEDW5j5tYTOHghUBiO
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeString found in binary or memory: https://go.mic
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeString found in binary or memory: https://go.microso
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000002.00000002.488328785.0000000000A5B000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000002.00000002.488328785.0000000000A5B000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/C
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000002.00000002.488328785.0000000000A5B000.00000004.00000020.sdmp, SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000002.00000003.258770543.0000000000A90000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=CEA27E82624AB94F&resid=CEA27E82624AB94F%21197&authkey=AMcnUE5
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000002.00000002.488443957.0000000000A90000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_02337692 NtSetInformationThread,TerminateProcess,0_2_02337692
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_02330713 EnumWindows,NtSetInformationThread,TerminateProcess,0_2_02330713
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_0233839E NtProtectVirtualMemory,0_2_0233839E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_023387FB NtResumeThread,0_2_023387FB
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_02332FF9 NtWriteVirtualMemory,0_2_02332FF9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_02337037 NtSetInformationThread,TerminateProcess,0_2_02337037
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_02333028 NtWriteVirtualMemory,0_2_02333028
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_02338A2C NtResumeThread,0_2_02338A2C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_02338A06 NtResumeThread,0_2_02338A06
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_02338808 NtResumeThread,0_2_02338808
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_02338C4E NtResumeThread,0_2_02338C4E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_02338E4E NtResumeThread,0_2_02338E4E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_02338EF0 NtResumeThread,0_2_02338EF0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_02336ED1 NtWriteVirtualMemory,0_2_02336ED1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_02338B38 NtResumeThread,0_2_02338B38
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_02335174 NtWriteVirtualMemory,0_2_02335174
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_0233357C NtWriteVirtualMemory,0_2_0233357C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_02330760 NtSetInformationThread,TerminateProcess,0_2_02330760
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_02333364 NtWriteVirtualMemory,0_2_02333364
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_023331BE NtWriteVirtualMemory,0_2_023331BE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E519860 NtQuerySystemInformation,LdrInitializeThunk,2_2_1E519860
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E519660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_1E519660
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E5196E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_1E5196E0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E519950 NtQueueApcThread,2_2_1E519950
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E519650 NtQueryValueKey,2_2_1E519650
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E519A50 NtCreateFile,2_2_1E519A50
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E519540 NtReadFile,2_2_1E519540
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E519840 NtDelayExecution,2_2_1E519840
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E51B040 NtSuspendThread,2_2_1E51B040
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E519770 NtSetInformationFile,2_2_1E519770
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E519670 NtQueryInformationProcess,2_2_1E519670
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E51A770 NtOpenThread,2_2_1E51A770
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E519760 NtOpenProcess,2_2_1E519760
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E519560 NtWriteFile,2_2_1E519560
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E51A710 NtOpenProcessToken,2_2_1E51A710
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E519A10 NtQuerySection,2_2_1E519A10
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E519910 NtAdjustPrivilegesToken,2_2_1E519910
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E519710 NtQueryInformationToken,2_2_1E519710
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E519610 NtEnumerateValueKey,2_2_1E519610
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E519A00 NtProtectVirtualMemory,2_2_1E519A00
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E519B00 NtSetValueKey,2_2_1E519B00
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E51AD30 NtSetContextThread,2_2_1E51AD30
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E519730 NtQueryVirtualMemory,2_2_1E519730
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E519820 NtEnumerateKey,2_2_1E519820
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E519520 NtWaitForSingleObject,2_2_1E519520
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E519A20 NtResumeThread,2_2_1E519A20
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E5199D0 NtCreateProcessEx,2_2_1E5199D0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E5196D0 NtCreateKey,2_2_1E5196D0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E5195D0 NtClose,2_2_1E5195D0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E5198F0 NtReadVirtualMemory,2_2_1E5198F0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E5195F0 NtQueryInformationFile,2_2_1E5195F0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E519FE0 NtCreateMutant,2_2_1E519FE0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E519A80 NtOpenDirectoryObject,2_2_1E519A80
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E519780 NtMapViewOfSection,2_2_1E519780
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E51A3B0 NtGetContextThread,2_2_1E51A3B0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E5199A0 NtCreateSection,2_2_1E5199A0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E5198A0 NtWriteVirtualMemory,2_2_1E5198A0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E5197A0 NtUnmapViewOfSection,2_2_1E5197A0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_00562C25 RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,NtProtectVirtualMemory,2_2_00562C25
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_00562AC3 CreateThread,TerminateThread,NtProtectVirtualMemory,2_2_00562AC3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_00563CCA NtProtectVirtualMemory,2_2_00563CCA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_00563B4F LdrInitializeThunk,Sleep,NtProtectVirtualMemory,2_2_00563B4F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_00560713 EnumWindows,LdrInitializeThunk,NtSetInformationThread,2_2_00560713
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_0056839E NtProtectVirtualMemory,2_2_0056839E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_00563C7C NtProtectVirtualMemory,2_2_00563C7C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_00567037 LdrInitializeThunk,NtSetInformationThread,2_2_00567037
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_00563CDE NtProtectVirtualMemory,2_2_00563CDE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_00563CC3 NtProtectVirtualMemory,2_2_00563CC3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_00560760 LdrInitializeThunk,NtSetInformationThread,2_2_00560760
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_00560F0A NtProtectVirtualMemory,2_2_00560F0A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_00403B940_2_00403B94
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_004055370_2_00405537
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_023375700_2_02337570
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E4B94B82_2_1E4B94B8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_005675702_2_00567570
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E75FD352_2_1E75FD35
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E75F5B82_2_1E75F5B8
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000000.00000002.233867898.0000000000413000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFITTINGLY.exe vs SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000000.00000002.234318700.00000000021D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000002.00000002.488713744.00000000024D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000002.00000002.488775607.0000000002560000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000002.00000000.232902314.0000000000413000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFITTINGLY.exe vs SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000002.00000002.495448851.000000001E75F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeBinary or memory string: OriginalFilenameFITTINGLY.exe vs SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe
            Source: classification engineClassification label: mal76.troj.spyw.evad.winEXE@3/0@2/1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeFile created: C:\Users\user\AppData\Local\Temp\~DF2CF38F5EF5087F86.TMPJump to behavior
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeString found in binary or memory: The device has succeeded a query-stop and its resource requirements have changed.
            Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe'
            Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe'
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe' Jump to behavior
            Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000002.00000002.495019734.000000001E5CF000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000002.00000002.487910368.0000000000560000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe PID: 5100, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe PID: 2980, type: MEMORY
            Yara detected VB6 Downloader GenericShow sources
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe PID: 5100, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe PID: 2980, type: MEMORY
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_00404C42 push ebx; retf 0_2_00404C67
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_004064CB push ebx; iretd 0_2_004064CF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_0040BB0E push ss; ret 0_2_0040BB19
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_0040B589 push cs; retf 0_2_0040B593
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E4B427E pushad ; retf 000Dh2_2_1E4B427F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E4B9271 push es; iretd 2_2_1E4B9278
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E4B322C push eax; retf 2_2_1E4B321C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E52D0D1 push ecx; ret 2_2_1E52D0E4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E4BA7C0 push es; iretd 2_2_1E4BA7C1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E4B4288 pushad ; retf 2_2_1E4B4289
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E4B3F9F pushad ; ret 2_2_1E4B3FA0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_1E75F5B8 push es; iretd 2_2_1E75F9B5
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Tries to detect Any.runShow sources
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeRDTSC instruction interceptor: First address: 00000000004098B4 second address: 00000000004098BA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeRDTSC instruction interceptor: First address: 0000000000409B2E second address: 0000000000409B34 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_0233743E rdtsc 0_2_0233743E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeWindow / User API: threadDelayed 6212Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe TID: 6488Thread sleep count: 6212 > 30Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe TID: 6488Thread sleep time: -31060s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeThread sleep count: Count: 6212 delay: -5Jump to behavior
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000000.00000002.235869421.00000000039FA000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000002.00000002.488901577.00000000025EA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000002.00000002.488291502.0000000000A38000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW0R
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000000.00000002.235869421.00000000039FA000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000002.00000002.488901577.00000000025EA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000002.00000002.488901577.00000000025EA000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000000.00000002.235869421.00000000039FA000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000002.00000002.488901577.00000000025EA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000000.00000002.235869421.00000000039FA000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000002.00000002.488901577.00000000025EA000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000000.00000002.235869421.00000000039FA000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000002.00000002.488901577.00000000025EA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000002.00000002.488901577.00000000025EA000.00000004.00000001.sdmpBinary or memory string: vmicvss
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000002.00000002.488391358.0000000000A77000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000000.00000002.235869421.00000000039FA000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000002.00000002.488901577.00000000025EA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000000.00000002.235869421.00000000039FA000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000002.00000002.488901577.00000000025EA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000000.00000002.235869421.00000000039FA000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000002.00000002.488901577.00000000025EA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000002.00000002.488901577.00000000025EA000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging:

            barindex
            Contains functionality to hide a thread from the debuggerShow sources
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_02337692 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,0000001C,000000000_2_02337692
            Hides threads from debuggersShow sources
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_0233743E rdtsc 0_2_0233743E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_02334177 LdrInitializeThunk,0_2_02334177
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_02331E23 mov eax, dword ptr fs:[00000030h]0_2_02331E23
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_02337C29 mov eax, dword ptr fs:[00000030h]0_2_02337C29
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_02336EE0 mov eax, dword ptr fs:[00000030h]0_2_02336EE0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_023368DB mov eax, dword ptr fs:[00000030h]0_2_023368DB
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_02337D36 mov eax, dword ptr fs:[00000030h]0_2_02337D36
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_02332905 mov eax, dword ptr fs:[00000030h]0_2_02332905
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_023339CE mov eax, dword ptr fs:[00000030h]0_2_023339CE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_00561E23 mov eax, dword ptr fs:[00000030h]2_2_00561E23
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_00567C29 mov eax, dword ptr fs:[00000030h]2_2_00567C29
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_005668DB mov eax, dword ptr fs:[00000030h]2_2_005668DB
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_00566EE0 mov eax, dword ptr fs:[00000030h]2_2_00566EE0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_00567D36 mov eax, dword ptr fs:[00000030h]2_2_00567D36
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_005639CE mov eax, dword ptr fs:[00000030h]2_2_005639CE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 2_2_00562C25 RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,NtProtectVirtualMemory,2_2_00562C25
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe' Jump to behavior
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000002.00000002.488535159.0000000000FC0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000002.00000002.488535159.0000000000FC0000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000002.00000002.488535159.0000000000FC0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe, 00000002.00000002.488535159.0000000000FC0000.00000002.00000001.sdmpBinary or memory string: Program Manager[
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.22300.exeCode function: 0_2_02333CCA cpuid 0_2_02333CCA

            Stealing of Sensitive Information:

            barindex
            Yara detected Generic DropperShow sources
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.KillProc2.11384.22300.exe PID: 2980, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsCommand and Scripting Interpreter2Path InterceptionProcess Injection12Virtualization/Sandbox Evasion23OS Credential DumpingSecurity Software Discovery421Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemoryVirtualization/Sandbox Evasion23Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery111VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.