Analysis Report SecuriteInfo.com.generic.ml.32161

Overview

General Information

Sample Name: SecuriteInfo.com.generic.ml.32161 (renamed file extension from 32161 to exe)
Analysis ID: 337336
MD5: 0640f43c412f8f2c3bf6e1b9139db1d0
SHA1: f07e9e5e618b14b0dd5478cb2a26f42096a10e1d
SHA256: 1664c6a330c5b318458518ea71b2a9995a91c79281a050278c3aa2388663a986
Tags: GuLoader

Most interesting Screenshot:

Detection

Remcos GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential malicious icon found
Sigma detected: Remcos
Yara detected GuLoader
Connects to many ports of the same IP (likely port scanning)
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.generic.ml.exe Virustotal: Detection: 11% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: SecuriteInfo.com.generic.ml.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 142.250.180.97:443 -> 192.168.2.3:49732 version: TLS 1.2

Networking:

barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 185.157.161.61 ports 0,2,52360,3,5,6
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49733 -> 185.157.161.61:52360
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 142.250.180.97 142.250.180.97
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OBE-EUROPEObenetworkEuropeSE OBE-EUROPEObenetworkEuropeSE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown DNS traffic detected: queries for: doc-0c-8c-docs.googleusercontent.com
Source: ielowutil.exe, 00000016.00000002.571131966.0000000002FAE000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ielowutil.exe, 00000016.00000002.571131966.0000000002FAE000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: ielowutil.exe, 00000016.00000002.571131966.0000000002FAE000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.goog/gsr2
Source: ielowutil.exe, 00000016.00000003.540935394.0000000002FAE000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: ielowutil.exe, 00000016.00000003.540935394.0000000002FAE000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: ielowutil.exe, 00000016.00000002.571131966.0000000002FAE000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: ielowutil.exe, 00000016.00000002.571131966.0000000002FAE000.00000004.00000001.sdmp String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: ielowutil.exe String found in binary or memory: https://drive.google.com/uc?export=download&id=1LZsqqMCLui4uAjpAqMIbGbmi-9F8VM3f
Source: ielowutil.exe, 00000016.00000002.571131966.0000000002FAE000.00000004.00000001.sdmp String found in binary or memory: https://pki.goog/r
Source: ielowutil.exe, 00000016.00000003.540935394.0000000002FAE000.00000004.00000001.sdmp String found in binary or memory: https://pki.goog/repository/0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown HTTPS traffic detected: 142.250.180.97:443 -> 192.168.2.3:49732 version: TLS 1.2

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.313168282.0000000000409000.00000020.00020000.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000000.00000000.205779909.0000000000409000.00000020.00020000.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F536B NtSetInformationThread, 0_2_021F536B
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F0399 EnumWindows,NtSetInformationThread, 0_2_021F0399
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F58B4 NtProtectVirtualMemory, 0_2_021F58B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F20D3 NtWriteVirtualMemory,Sleep, 0_2_021F20D3
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F22D5 NtWriteVirtualMemory, 0_2_021F22D5
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F2315 NtWriteVirtualMemory, 0_2_021F2315
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F4B05 NtSetInformationThread, 0_2_021F4B05
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F2385 NtWriteVirtualMemory, 0_2_021F2385
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F23C1 NtWriteVirtualMemory, 0_2_021F23C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F48EE NtSetInformationThread, 0_2_021F48EE
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F20E1 NtWriteVirtualMemory, 0_2_021F20E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F2119 NtWriteVirtualMemory, 0_2_021F2119
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F216D NtWriteVirtualMemory, 0_2_021F216D
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F2189 NtWriteVirtualMemory, 0_2_021F2189
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F21C5 NtWriteVirtualMemory, 0_2_021F21C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F21F1 NtWriteVirtualMemory, 0_2_021F21F1
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F1F98 NtSetInformationThread, 0_2_021F1F98
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F2415 NtWriteVirtualMemory, 0_2_021F2415
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F042D NtSetInformationThread, 0_2_021F042D
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F2445 NtWriteVirtualMemory, 0_2_021F2445
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F2495 NtWriteVirtualMemory, 0_2_021F2495
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F0485 NtSetInformationThread, 0_2_021F0485
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F04AD NtSetInformationThread, 0_2_021F04AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F24CD NtWriteVirtualMemory, 0_2_021F24CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F24ED NtWriteVirtualMemory, 0_2_021F24ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F0D39 NtSetInformationThread,NtWriteVirtualMemory, 0_2_021F0D39
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 22_2_02AD5D3D NtSetInformationThread, 22_2_02AD5D3D
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 22_2_02AD602D NtSetInformationThread, 22_2_02AD602D
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 22_2_02AD601D NtSetInformationThread, 22_2_02AD601D
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 22_2_02AD5E8D NtSetInformationThread, 22_2_02AD5E8D
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 22_2_02AD5EE2 NtSetInformationThread, 22_2_02AD5EE2
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 22_2_02AD5E39 NtSetInformationThread, 22_2_02AD5E39
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 22_2_02AD5E19 NtSetInformationThread, 22_2_02AD5E19
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 22_2_02AD5E71 NtSetInformationThread, 22_2_02AD5E71
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 22_2_02AD5FB9 NtSetInformationThread, 22_2_02AD5FB9
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 22_2_02AD5F89 NtSetInformationThread, 22_2_02AD5F89
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 22_2_02AD5F2D NtSetInformationThread, 22_2_02AD5F2D
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 22_2_02AD5DA9 NtSetInformationThread, 22_2_02AD5DA9
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 22_2_02AD5D81 NtSetInformationThread, 22_2_02AD5D81
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 22_2_02AD5D95 NtSetInformationThread, 22_2_02AD5D95
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 22_2_02AD5DDD NtSetInformationThread, 22_2_02AD5DDD
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 22_2_02AD5D69 NtSetInformationThread, 22_2_02AD5D69
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_004012D4 0_2_004012D4
PE file contains strange resources
Source: SecuriteInfo.com.generic.ml.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.generic.ml.exe, 00000000.00000000.205786428.0000000000411000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameIndk.exe vs SecuriteInfo.com.generic.ml.exe
Source: SecuriteInfo.com.generic.ml.exe Binary or memory string: OriginalFilenameIndk.exe vs SecuriteInfo.com.generic.ml.exe
Uses 32bit PE files
Source: SecuriteInfo.com.generic.ml.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 00000000.00000002.313168282.0000000000409000.00000020.00020000.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000000.205779909.0000000000409000.00000020.00020000.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: classification engine Classification label: mal100.rans.troj.evad.winEXE@25/1@3/2
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe File created: C:\Users\user\AppData\Roaming\remcos Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Mutant created: \Sessions\1\BaseNamedObjects\Remcos-DPTVOE
Source: SecuriteInfo.com.generic.ml.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: SecuriteInfo.com.generic.ml.exe Virustotal: Detection: 11%
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ielowutil.exe PID: 7084, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.generic.ml.exe PID: 908, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_004069D1 push ss; retf 0_2_00406A0D
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_004066E0 push ss; retf 0_2_00406A0D
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_004043BD push ebp; iretd 0_2_004043C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SecuriteInfo.com.generic.ml.exe, 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, ielowutil.exe, 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEU
Source: SecuriteInfo.com.generic.ml.exe, ielowutil.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F536B rdtsc 0_2_021F536B
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Window / User API: threadDelayed 700 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe TID: 1376 Thread sleep count: 700 > 30 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe TID: 1376 Thread sleep time: -7000000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Last function: Thread delayed
Source: SecuriteInfo.com.generic.ml.exe, ielowutil.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: SecuriteInfo.com.generic.ml.exe, 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, ielowutil.exe, 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exeU

Anti Debugging:

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F536B NtSetInformationThread 000000FE,00000011,00000000,00000000,00000040,021F0479,00000000,00000000,00000000,00000000,?,00000000,00000000,021F4A9F,?,021F4489 0_2_021F536B
Hides threads from debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F536B rdtsc 0_2_021F536B
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F362C LdrInitializeThunk, 0_2_021F362C
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_004012D4 mov ebx, dword ptr fs:[00000030h] 0_2_004012D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F536B mov eax, dword ptr fs:[00000030h] 0_2_021F536B
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F4A29 mov eax, dword ptr fs:[00000030h] 0_2_021F4A29
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F1AA5 mov eax, dword ptr fs:[00000030h] 0_2_021F1AA5
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F4358 mov eax, dword ptr fs:[00000030h] 0_2_021F4358
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F53B5 mov eax, dword ptr fs:[00000030h] 0_2_021F53B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F291E mov eax, dword ptr fs:[00000030h] 0_2_021F291E
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F1C59 mov eax, dword ptr fs:[00000030h] 0_2_021F1C59
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F1C71 mov eax, dword ptr fs:[00000030h] 0_2_021F1C71
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Code function: 0_2_021F15CB mov eax, dword ptr fs:[00000030h] 0_2_021F15CB
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 22_2_02AD4A29 mov eax, dword ptr fs:[00000030h] 22_2_02AD4A29
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 22_2_02AD53B5 mov eax, dword ptr fs:[00000030h] 22_2_02AD53B5
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 22_2_02AD536B mov eax, dword ptr fs:[00000030h] 22_2_02AD536B
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 22_2_02AD4358 mov eax, dword ptr fs:[00000030h] 22_2_02AD4358
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 22_2_02AD2917 mov eax, dword ptr fs:[00000030h] 22_2_02AD2917

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Memory written: C:\Program Files (x86)\Internet Explorer\ielowutil.exe base: 2AD0000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
Source: ielowutil.exe, 00000016.00000002.571697419.0000000004A87000.00000004.00000040.sdmp Binary or memory string: Program Manager
Source: ielowutil.exe, 00000016.00000002.571262654.0000000003490000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: ielowutil.exe, 00000016.00000002.571262654.0000000003490000.00000002.00000001.sdmp Binary or memory string: Progman
Source: ielowutil.exe, 00000016.00000002.571697419.0000000004A87000.00000004.00000040.sdmp Binary or memory string: Program Manageranager
Source: logs.dat.22.dr Binary or memory string: [ Program Manager ]
Source: ielowutil.exe, 00000016.00000002.571697419.0000000004A87000.00000004.00000040.sdmp Binary or memory string: Program Manager0|
Source: ielowutil.exe, 00000016.00000002.571697419.0000000004A87000.00000004.00000040.sdmp Binary or memory string: Program Managerr|
Source: ielowutil.exe, 00000016.00000002.571697419.0000000004A87000.00000004.00000040.sdmp Binary or memory string: |Program Manager
Source: ielowutil.exe, 00000016.00000002.571697419.0000000004A87000.00000004.00000040.sdmp Binary or memory string: Program ManageryO
Source: ielowutil.exe, 00000016.00000002.571262654.0000000003490000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: ielowutil.exe, 00000016.00000002.571697419.0000000004A87000.00000004.00000040.sdmp Binary or memory string: Program ManageranagerH
Source: ielowutil.exe, 00000016.00000002.571697419.0000000004A87000.00000004.00000040.sdmp Binary or memory string: Program Managerr
Source: ielowutil.exe, 00000016.00000002.571662057.0000000004A80000.00000004.00000040.sdmp Binary or memory string: |Program Manager|
Source: ielowutil.exe, 00000016.00000002.571697419.0000000004A87000.00000004.00000040.sdmp Binary or memory string: Program Manager|
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 337336 Sample: SecuriteInfo.com.generic.ml.32161 Startdate: 08/01/2021 Architecture: WINDOWS Score: 100 23 g.msn.com 2->23 31 Potential malicious icon found 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 5 other signatures 2->37 7 SecuriteInfo.com.generic.ml.exe 2->7         started        signatures3 process4 signatures5 39 Writes to foreign memory regions 7->39 41 Tries to detect Any.run 7->41 43 Hides threads from debuggers 7->43 45 Contains functionality to hide a thread from the debugger 7->45 10 ielowutil.exe 2 9 7->10         started        15 ieinstal.exe 7->15         started        17 ieinstal.exe 7->17         started        19 9 other processes 7->19 process6 dnsIp7 25 wealthyblessed.myddns.rocks 185.157.161.61, 49733, 52360 OBE-EUROPEObenetworkEuropeSE Sweden 10->25 27 googlehosted.l.googleusercontent.com 142.250.180.97, 443, 49732 GOOGLEUS United States 10->27 29 doc-0c-8c-docs.googleusercontent.com 10->29 21 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 10->21 dropped 47 Tries to detect Any.run 10->47 49 Hides threads from debuggers 10->49 file8 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.157.161.61
 unknown Sweden
197595 OBE-EUROPEObenetworkEuropeSE true
142.250.180.97
 unknown United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
wealthyblessed.myddns.rocks 185.157.161.61 true
googlehosted.l.googleusercontent.com 142.250.180.97 true
g.msn.com unknown unknown
doc-0c-8c-docs.googleusercontent.com unknown unknown