Loading ...

Play interactive tourEdit tour

Analysis Report Vendor Details form_xlsx.exe

Overview

General Information

Sample Name:Vendor Details form_xlsx.exe
Analysis ID:312636
MD5:00f7ca62101d0e7b0f47f0c350385492
SHA1:55e3e089f8d8e8383af7ae3ebd1ba325821c16ec
SHA256:29bddad7e0c6da155a7b603b88848fdc19ebd6b0f0e783bebe5a04d64e78ac52
Tags:exeGuLoader

Most interesting Screenshot:

Detection

GuLoader
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Potential malicious icon found
Yara detected GuLoader
Found potential dummy code loops (likely to delay analysis)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • Vendor Details form_xlsx.exe (PID: 3948 cmdline: 'C:\Users\user\Desktop\Vendor Details form_xlsx.exe' MD5: 00F7CA62101D0E7B0F47F0C350385492)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: Vendor Details form_xlsx.exe PID: 3948JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
    Process Memory Space: Vendor Details form_xlsx.exe PID: 3948JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results
      Source: Vendor Details form_xlsx.exe, 00000000.00000002.475876563.00000000006EA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: Vendor Details form_xlsx.exe, 00000000.00000002.475876563.00000000006EA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      System Summary:

      barindex
      Potential malicious icon foundShow sources
      Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
      Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
      Source: C:\Users\user\Desktop\Vendor Details form_xlsx.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\Vendor Details form_xlsx.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\Vendor Details form_xlsx.exeCode function: 0_2_00402B490_2_00402B49
      Source: C:\Users\user\Desktop\Vendor Details form_xlsx.exeCode function: 0_2_004011A80_2_004011A8
      Source: C:\Users\user\Desktop\Vendor Details form_xlsx.exeCode function: 0_2_00402B710_2_00402B71
      Source: C:\Users\user\Desktop\Vendor Details form_xlsx.exeCode function: 0_2_00402B490_2_00402B49
      Source: C:\Users\user\Desktop\Vendor Details form_xlsx.exeCode function: 0_2_004011A80_2_004011A8
      Source: C:\Users\user\Desktop\Vendor Details form_xlsx.exeCode function: 0_2_00402B710_2_00402B71
      Source: Vendor Details form_xlsx.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Vendor Details form_xlsx.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Vendor Details form_xlsx.exe, 00000000.00000002.475100638.0000000000411000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTermans4.exe vs Vendor Details form_xlsx.exe
      Source: Vendor Details form_xlsx.exe, 00000000.00000002.476615706.00000000021E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Vendor Details form_xlsx.exe
      Source: Vendor Details form_xlsx.exeBinary or memory string: OriginalFilenameTermans4.exe vs Vendor Details form_xlsx.exe
      Source: Vendor Details form_xlsx.exe, 00000000.00000002.475100638.0000000000411000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTermans4.exe vs Vendor Details form_xlsx.exe
      Source: Vendor Details form_xlsx.exe, 00000000.00000002.476615706.00000000021E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Vendor Details form_xlsx.exe
      Source: Vendor Details form_xlsx.exeBinary or memory string: OriginalFilenameTermans4.exe vs Vendor Details form_xlsx.exe
      Source: classification engineClassification label: mal72.rans.troj.evad.winEXE@1/0@0/0
      Source: Vendor Details form_xlsx.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: Vendor Details form_xlsx.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Vendor Details form_xlsx.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\Vendor Details form_xlsx.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\Vendor Details form_xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\Vendor Details form_xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: Vendor Details form_xlsx.exe PID: 3948, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: Vendor Details form_xlsx.exe PID: 3948, type: MEMORY
      Source: C:\Users\user\Desktop\Vendor Details form_xlsx.exeCode function: 0_2_0040DE04 push eax; ret 0_2_0040DE43
      Source: C:\Users\user\Desktop\Vendor Details form_xlsx.exeCode function: 0_2_0040403D push edx; retf 0_2_0040417A
      Source: C:\Users\user\Desktop\Vendor Details form_xlsx.exeCode function: 0_2_0040DE04 push eax; ret 0_2_0040DE43
      Source: C:\Users\user\Desktop\Vendor Details form_xlsx.exeCode function: 0_2_0040403D push edx; retf 0_2_0040417A
      Source: C:\Users\user\Desktop\Vendor Details form_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Vendor Details form_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: Vendor Details form_xlsx.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Source: Vendor Details form_xlsx.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\Vendor Details form_xlsx.exeRDTSC instruction interceptor: First address: 0000000002227649 second address: 0000000002227649 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp byte ptr [esi], FFFFFFA4h 0x00000006 jnc 00007F07ACA60C85h 0x00000008 test ch, 0000003Bh 0x0000000b mov ebx, eax 0x0000000d cmp bx, ED7Eh 0x00000012 shl eax, 05h 0x00000015 test ecx, eax 0x00000017 add eax, ebx 0x00000019 movzx ecx, byte ptr [esi] 0x0000001c add eax, ecx 0x0000001e inc esi 0x0000001f cmp byte ptr [esi], 00000000h 0x00000022 jne 00007F07ACA60C08h 0x00000024 pushad 0x00000025 mov edi, 000000A6h 0x0000002a rdtsc
      Source: C:\Users\user\Desktop\Vendor Details form_xlsx.exeCode function: 0_2_02227603 rdtsc 0_2_02227603
      Source: C:\Users\user\Desktop\Vendor Details form_xlsx.exeCode function: 0_2_02227603 rdtsc 0_2_02227603
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: Vendor Details form_xlsx.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: Vendor Details form_xlsx.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

      Anti Debugging:

      barindex
      Found potential dummy code loops (likely to delay analysis)Show sources
      Source: C:\Users\user\Desktop\Vendor Details form_xlsx.exeProcess Stats: CPU usage > 90% for more than 60s
      Source: C:\Users\user\Desktop\Vendor Details form_xlsx.exeProcess Stats: CPU usage > 90% for more than 60s
      Source: C:\Users\user\Desktop\Vendor Details form_xlsx.exeCode function: 0_2_02227603 rdtsc 0_2_02227603
      Source: C:\Users\user\Desktop\Vendor Details form_xlsx.exeCode function: 0_2_02227603 rdtsc 0_2_02227603
      Source: C:\Users\user\Desktop\Vendor Details form_xlsx.exeCode function: 0_2_02227208 mov eax, dword ptr fs:[00000030h]0_2_02227208
      Source: C:\Users\user\Desktop\Vendor Details form_xlsx.exeCode function: 0_2_022230A6 mov eax, dword ptr fs:[00000030h]0_2_022230A6
      Source: C:\Users\user\Desktop\Vendor Details form_xlsx.exeCode function: 0_2_02223131 mov eax, dword ptr fs:[00000030h]0_2_02223131
      Source: C:\Users\user\Desktop\Vendor Details form_xlsx.exeCode function: 0_2_02224346 mov eax, dword ptr fs:[00000030h]0_2_02224346
      Source: C:\Users\user\Desktop\Vendor Details form_xlsx.exeCode function: 0_2_022279BB mov eax, dword ptr fs:[00000030h]0_2_022279BB
      Source: C:\Users\user\Desktop\Vendor Details form_xlsx.exeCode function: 0_2_02227208 mov eax, dword ptr fs:[00000030h]0_2_02227208
      Source: C:\Users\user\Desktop\Vendor Details form_xlsx.exeCode function: 0_2_022230A6 mov eax, dword ptr fs:[00000030h]0_2_022230A6
      Source: C:\Users\user\Desktop\Vendor Details form_xlsx.exeCode function: 0_2_02223131 mov eax, dword ptr fs:[00000030h]0_2_02223131
      Source: C:\Users\user\Desktop\Vendor Details form_xlsx.exeCode function: 0_2_02224346 mov eax, dword ptr fs:[00000030h]0_2_02224346
      Source: C:\Users\user\Desktop\Vendor Details form_xlsx.exeCode function: 0_2_022279BB mov eax, dword ptr fs:[00000030h]0_2_022279BB
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: Vendor Details form_xlsx.exe, 00000000.00000002.476166571.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: Vendor Details form_xlsx.exe, 00000000.00000002.476166571.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: Vendor Details form_xlsx.exe, 00000000.00000002.476166571.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: Vendor Details form_xlsx.exe, 00000000.00000002.476166571.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: Vendor Details form_xlsx.exe, 00000000.00000002.476166571.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: Vendor Details form_xlsx.exe, 00000000.00000002.476166571.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: Vendor Details form_xlsx.exe, 00000000.00000002.476166571.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: Vendor Details form_xlsx.exe, 00000000.00000002.476166571.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Progmanlock

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11Input Capture1Security Software Discovery311Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery11Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.