Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.generic.ml.32161

Overview

General Information

Sample Name:SecuriteInfo.com.generic.ml.32161 (renamed file extension from 32161 to exe)
Analysis ID:337336
MD5:0640f43c412f8f2c3bf6e1b9139db1d0
SHA1:f07e9e5e618b14b0dd5478cb2a26f42096a10e1d
SHA256:1664c6a330c5b318458518ea71b2a9995a91c79281a050278c3aa2388663a986
Tags:GuLoader

Most interesting Screenshot:

Detection

Remcos GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential malicious icon found
Sigma detected: Remcos
Yara detected GuLoader
Connects to many ports of the same IP (likely port scanning)
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • SecuriteInfo.com.generic.ml.exe (PID: 908 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' MD5: 0640F43C412F8F2C3BF6E1B9139DB1D0)
    • ieinstal.exe (PID: 6588 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)
    • ieinstal.exe (PID: 6612 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)
    • ieinstal.exe (PID: 6640 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)
    • ieinstal.exe (PID: 6680 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)
    • ieinstal.exe (PID: 6724 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)
    • ieinstal.exe (PID: 6776 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)
    • ieinstal.exe (PID: 6848 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)
    • ieinstal.exe (PID: 6908 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)
    • ieinstal.exe (PID: 6988 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)
    • ieinstal.exe (PID: 7012 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)
    • ieinstal.exe (PID: 7056 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)
    • ielowutil.exe (PID: 7084 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' MD5: D1F5C3244A69511CAC88009B71884A71)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    00000000.00000002.313168282.0000000000409000.00000020.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0xce8:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
    00000000.00000000.205779909.0000000000409000.00000020.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0xce8:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
    Process Memory Space: ielowutil.exe PID: 7084JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
      Process Memory Space: SecuriteInfo.com.generic.ml.exe PID: 908JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: RemcosShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files (x86)\Internet Explorer\ielowutil.exe, ProcessId: 7084, TargetFilename: C:\Users\user\AppData\Roaming\remcos\logs.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for submitted fileShow sources
        Source: SecuriteInfo.com.generic.ml.exeVirustotal: Detection: 11%Perma Link
        Source: SecuriteInfo.com.generic.ml.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: unknownHTTPS traffic detected: 142.250.180.97:443 -> 192.168.2.3:49732 version: TLS 1.2

        Networking:

        barindex
        Connects to many ports of the same IP (likely port scanning)Show sources
        Source: global trafficTCP traffic: 185.157.161.61 ports 0,2,52360,3,5,6
        Source: global trafficTCP traffic: 192.168.2.3:49733 -> 185.157.161.61:52360
        Source: Joe Sandbox ViewIP Address: 142.250.180.97 142.250.180.97
        Source: Joe Sandbox ViewASN Name: OBE-EUROPEObenetworkEuropeSE OBE-EUROPEObenetworkEuropeSE
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: unknownDNS traffic detected: queries for: doc-0c-8c-docs.googleusercontent.com
        Source: ielowutil.exe, 00000016.00000002.571131966.0000000002FAE000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: ielowutil.exe, 00000016.00000002.571131966.0000000002FAE000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
        Source: ielowutil.exe, 00000016.00000002.571131966.0000000002FAE000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2
        Source: ielowutil.exe, 00000016.00000003.540935394.0000000002FAE000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
        Source: ielowutil.exe, 00000016.00000003.540935394.0000000002FAE000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
        Source: ielowutil.exe, 00000016.00000002.571131966.0000000002FAE000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
        Source: ielowutil.exe, 00000016.00000002.571131966.0000000002FAE000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
        Source: ielowutil.exeString found in binary or memory: https://drive.google.com/uc?export=download&id=1LZsqqMCLui4uAjpAqMIbGbmi-9F8VM3f
        Source: ielowutil.exe, 00000016.00000002.571131966.0000000002FAE000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/r
        Source: ielowutil.exe, 00000016.00000003.540935394.0000000002FAE000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
        Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
        Source: unknownHTTPS traffic detected: 142.250.180.97:443 -> 192.168.2.3:49732 version: TLS 1.2

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000000.00000002.313168282.0000000000409000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
        Source: 00000000.00000000.205779909.0000000000409000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
        Potential malicious icon foundShow sources
        Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeProcess Stats: CPU usage > 98%
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F536B NtSetInformationThread,0_2_021F536B
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F0399 EnumWindows,NtSetInformationThread,0_2_021F0399
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F58B4 NtProtectVirtualMemory,0_2_021F58B4
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F20D3 NtWriteVirtualMemory,Sleep,0_2_021F20D3
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F22D5 NtWriteVirtualMemory,0_2_021F22D5
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F2315 NtWriteVirtualMemory,0_2_021F2315
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F4B05 NtSetInformationThread,0_2_021F4B05
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F2385 NtWriteVirtualMemory,0_2_021F2385
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F23C1 NtWriteVirtualMemory,0_2_021F23C1
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F48EE NtSetInformationThread,0_2_021F48EE
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F20E1 NtWriteVirtualMemory,0_2_021F20E1
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F2119 NtWriteVirtualMemory,0_2_021F2119
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F216D NtWriteVirtualMemory,0_2_021F216D
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F2189 NtWriteVirtualMemory,0_2_021F2189
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F21C5 NtWriteVirtualMemory,0_2_021F21C5
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F21F1 NtWriteVirtualMemory,0_2_021F21F1
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F1F98 NtSetInformationThread,0_2_021F1F98
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F2415 NtWriteVirtualMemory,0_2_021F2415
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F042D NtSetInformationThread,0_2_021F042D
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F2445 NtWriteVirtualMemory,0_2_021F2445
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F2495 NtWriteVirtualMemory,0_2_021F2495
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F0485 NtSetInformationThread,0_2_021F0485
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F04AD NtSetInformationThread,0_2_021F04AD
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F24CD NtWriteVirtualMemory,0_2_021F24CD
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F24ED NtWriteVirtualMemory,0_2_021F24ED
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F0D39 NtSetInformationThread,NtWriteVirtualMemory,0_2_021F0D39
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeCode function: 22_2_02AD5D3D NtSetInformationThread,22_2_02AD5D3D
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeCode function: 22_2_02AD602D NtSetInformationThread,22_2_02AD602D
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeCode function: 22_2_02AD601D NtSetInformationThread,22_2_02AD601D
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeCode function: 22_2_02AD5E8D NtSetInformationThread,22_2_02AD5E8D
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeCode function: 22_2_02AD5EE2 NtSetInformationThread,22_2_02AD5EE2
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeCode function: 22_2_02AD5E39 NtSetInformationThread,22_2_02AD5E39
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeCode function: 22_2_02AD5E19 NtSetInformationThread,22_2_02AD5E19
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeCode function: 22_2_02AD5E71 NtSetInformationThread,22_2_02AD5E71
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeCode function: 22_2_02AD5FB9 NtSetInformationThread,22_2_02AD5FB9
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeCode function: 22_2_02AD5F89 NtSetInformationThread,22_2_02AD5F89
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeCode function: 22_2_02AD5F2D NtSetInformationThread,22_2_02AD5F2D
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeCode function: 22_2_02AD5DA9 NtSetInformationThread,22_2_02AD5DA9
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeCode function: 22_2_02AD5D81 NtSetInformationThread,22_2_02AD5D81
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeCode function: 22_2_02AD5D95 NtSetInformationThread,22_2_02AD5D95
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeCode function: 22_2_02AD5DDD NtSetInformationThread,22_2_02AD5DDD
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeCode function: 22_2_02AD5D69 NtSetInformationThread,22_2_02AD5D69
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_004012D40_2_004012D4
        Source: SecuriteInfo.com.generic.ml.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: SecuriteInfo.com.generic.ml.exe, 00000000.00000000.205786428.0000000000411000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIndk.exe vs SecuriteInfo.com.generic.ml.exe
        Source: SecuriteInfo.com.generic.ml.exeBinary or memory string: OriginalFilenameIndk.exe vs SecuriteInfo.com.generic.ml.exe
        Source: SecuriteInfo.com.generic.ml.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: 00000000.00000002.313168282.0000000000409000.00000020.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000000.00000000.205779909.0000000000409000.00000020.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: classification engineClassification label: mal100.rans.troj.evad.winEXE@25/1@3/2
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeFile created: C:\Users\user\AppData\Roaming\remcosJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeMutant created: \Sessions\1\BaseNamedObjects\Remcos-DPTVOE
        Source: SecuriteInfo.com.generic.ml.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: SecuriteInfo.com.generic.ml.exeVirustotal: Detection: 11%
        Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
        Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
        Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
        Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
        Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
        Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
        Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
        Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
        Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
        Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
        Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
        Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
        Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe'
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeProcess created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior

        Data Obfuscation:

        barindex
        Yara detected GuLoaderShow sources
        Source: Yara matchFile source: 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: ielowutil.exe PID: 7084, type: MEMORY
        Yara detected VB6 Downloader GenericShow sources
        Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.generic.ml.exe PID: 908, type: MEMORY
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_004069D1 push ss; retf 0_2_00406A0D
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_004066E0 push ss; retf 0_2_00406A0D
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_004043BD push ebp; iretd 0_2_004043C1
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Tries to detect Any.runShow sources
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: SecuriteInfo.com.generic.ml.exe, 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, ielowutil.exe, 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEU
        Source: SecuriteInfo.com.generic.ml.exe, ielowutil.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F536B rdtsc 0_2_021F536B
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeWindow / User API: threadDelayed 700Jump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe TID: 1376Thread sleep count: 700 > 30Jump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe TID: 1376Thread sleep time: -7000000s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeLast function: Thread delayed
        Source: SecuriteInfo.com.generic.ml.exe, ielowutil.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: SecuriteInfo.com.generic.ml.exe, 00000000.00000002.313492179.00000000021F0000.00000040.00000001.sdmp, ielowutil.exe, 00000016.00000002.570071221.0000000002AD1000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exeU

        Anti Debugging:

        barindex
        Contains functionality to hide a thread from the debuggerShow sources
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F536B NtSetInformationThread 000000FE,00000011,00000000,00000000,00000040,021F0479,00000000,00000000,00000000,00000000,?,00000000,00000000,021F4A9F,?,021F44890_2_021F536B
        Hides threads from debuggersShow sources
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeProcess queried: DebugPortJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F536B rdtsc 0_2_021F536B
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F362C LdrInitializeThunk,0_2_021F362C
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_004012D4 mov ebx, dword ptr fs:[00000030h]0_2_004012D4
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F536B mov eax, dword ptr fs:[00000030h]0_2_021F536B
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F4A29 mov eax, dword ptr fs:[00000030h]0_2_021F4A29
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F1AA5 mov eax, dword ptr fs:[00000030h]0_2_021F1AA5
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F4358 mov eax, dword ptr fs:[00000030h]0_2_021F4358
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F53B5 mov eax, dword ptr fs:[00000030h]0_2_021F53B5
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F291E mov eax, dword ptr fs:[00000030h]0_2_021F291E
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F1C59 mov eax, dword ptr fs:[00000030h]0_2_021F1C59
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F1C71 mov eax, dword ptr fs:[00000030h]0_2_021F1C71
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeCode function: 0_2_021F15CB mov eax, dword ptr fs:[00000030h]0_2_021F15CB
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeCode function: 22_2_02AD4A29 mov eax, dword ptr fs:[00000030h]22_2_02AD4A29
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeCode function: 22_2_02AD53B5 mov eax, dword ptr fs:[00000030h]22_2_02AD53B5
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeCode function: 22_2_02AD536B mov eax, dword ptr fs:[00000030h]22_2_02AD536B
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeCode function: 22_2_02AD4358 mov eax, dword ptr fs:[00000030h]22_2_02AD4358
        Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeCode function: 22_2_02AD2917 mov eax, dword ptr fs:[00000030h]22_2_02AD2917

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Writes to foreign memory regionsShow sources
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeMemory written: C:\Program Files (x86)\Internet Explorer\ielowutil.exe base: 2AD0000Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exeProcess created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe 'C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.exe' Jump to behavior
        Source: ielowutil.exe, 00000016.00000002.571697419.0000000004A87000.00000004.00000040.sdmpBinary or memory string: Program Manager
        Source: ielowutil.exe, 00000016.00000002.571262654.0000000003490000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: ielowutil.exe, 00000016.00000002.571262654.0000000003490000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: ielowutil.exe, 00000016.00000002.571697419.0000000004A87000.00000004.00000040.sdmpBinary or memory string: Program Manageranager
        Source: logs.dat.22.drBinary or memory string: [ Program Manager ]
        Source: ielowutil.exe, 00000016.00000002.571697419.0000000004A87000.00000004.00000040.sdmpBinary or memory string: Program Manager0|
        Source: ielowutil.exe, 00000016.00000002.571697419.0000000004A87000.00000004.00000040.sdmpBinary or memory string: Program Managerr|
        Source: ielowutil.exe, 00000016.00000002.571697419.0000000004A87000.00000004.00000040.sdmpBinary or memory string: |Program Manager
        Source: ielowutil.exe, 00000016.00000002.571697419.0000000004A87000.00000004.00000040.sdmpBinary or memory string: Program ManageryO
        Source: ielowutil.exe, 00000016.00000002.571262654.0000000003490000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: ielowutil.exe, 00000016.00000002.571697419.0000000004A87000.00000004.00000040.sdmpBinary or memory string: Program ManageranagerH
        Source: ielowutil.exe, 00000016.00000002.571697419.0000000004A87000.00000004.00000040.sdmpBinary or memory string: Program Managerr
        Source: ielowutil.exe, 00000016.00000002.571662057.0000000004A80000.00000004.00000040.sdmpBinary or memory string: |Program Manager|
        Source: ielowutil.exe, 00000016.00000002.571697419.0000000004A87000.00000004.00000040.sdmpBinary or memory string: Program Manager|

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection112Masquerading1OS Credential DumpingSecurity Software Discovery421Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion22LSASS MemoryVirtualization/Sandbox Evasion22Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection112Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.