Source: 315800_Invoice_confirmation.exe |
ReversingLabs: Detection: 10% |
Source: 315800_Invoice_confirmation.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: initial sample |
Icon embedded in PE file: bad icon match: 20047c7c70f0e004 |
Source: 315800_Invoice_confirmation.exe |
Static file information: Suspicious name |
Source: initial sample |
Static PE information: Filename: 315800_Invoice_confirmation.exe |
Source: C:\Users\user\Desktop\315800_Invoice_confirmation.exe |
Process Stats: CPU usage > 98% |
Source: 315800_Invoice_confirmation.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: 315800_Invoice_confirmation.exe, 00000000.00000000.248945860.0000000000417000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenamegeochr.exe vs 315800_Invoice_confirmation.exe |
Source: 315800_Invoice_confirmation.exe |
Binary or memory string: OriginalFilenamegeochr.exe vs 315800_Invoice_confirmation.exe |
Source: 315800_Invoice_confirmation.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal84.rans.troj.evad.winEXE@1/0@0/0 |
Source: 315800_Invoice_confirmation.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\315800_Invoice_confirmation.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\315800_Invoice_confirmation.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: 315800_Invoice_confirmation.exe |
ReversingLabs: Detection: 10% |
Source: Yara match |
File source: Process Memory Space: 315800_Invoice_confirmation.exe PID: 6016, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 315800_Invoice_confirmation.exe PID: 6016, type: MEMORY |
Source: C:\Users\user\Desktop\315800_Invoice_confirmation.exe |
Code function: 0_2_00408627 push ss; iretd |
0_2_004085E8 |
Source: C:\Users\user\Desktop\315800_Invoice_confirmation.exe |
Code function: 0_2_00406B64 push 0000005Fh; iretd |
0_2_00406B9D |
Source: C:\Users\user\Desktop\315800_Invoice_confirmation.exe |
Code function: 0_2_00408578 push ss; iretd |
0_2_004085E8 |
Source: C:\Users\user\Desktop\315800_Invoice_confirmation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\315800_Invoice_confirmation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\315800_Invoice_confirmation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\315800_Invoice_confirmation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\315800_Invoice_confirmation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: 315800_Invoice_confirmation.exe |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: C:\Users\user\Desktop\315800_Invoice_confirmation.exe |
RDTSC instruction interceptor: First address: 0000000000404336 second address: 0000000000404336 instructions: 0x00000000 rdtsc 0x00000002 wait 0x00000003 wait 0x00000004 dec esi 0x00000005 nop 0x00000006 nop 0x00000007 cmp esi, 00000000h 0x0000000a jne 00007F7040C3D2D6h 0x0000000c rdtsc |
Source: C:\Users\user\Desktop\315800_Invoice_confirmation.exe |
Code function: 0_2_004230E9 rdtsc |
0_2_004230E9 |
Source: 315800_Invoice_confirmation.exe |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\Desktop\315800_Invoice_confirmation.exe |
Code function: 0_2_004230E9 rdtsc |
0_2_004230E9 |
Source: C:\Users\user\Desktop\315800_Invoice_confirmation.exe |
Code function: 0_2_00425177 mov eax, dword ptr fs:[00000030h] |
0_2_00425177 |
Source: C:\Users\user\Desktop\315800_Invoice_confirmation.exe |
Code function: 0_2_00424B45 mov eax, dword ptr fs:[00000030h] |
0_2_00424B45 |
Source: C:\Users\user\Desktop\315800_Invoice_confirmation.exe |
Code function: 0_2_00424B52 mov eax, dword ptr fs:[00000030h] |
0_2_00424B52 |
Source: C:\Users\user\Desktop\315800_Invoice_confirmation.exe |
Code function: 0_2_00425C5D mov eax, dword ptr fs:[00000030h] |
0_2_00425C5D |
Source: C:\Users\user\Desktop\315800_Invoice_confirmation.exe |
Code function: 0_2_00425C62 mov eax, dword ptr fs:[00000030h] |
0_2_00425C62 |
Source: C:\Users\user\Desktop\315800_Invoice_confirmation.exe |
Code function: 0_2_00425C2E mov eax, dword ptr fs:[00000030h] |
0_2_00425C2E |
Source: C:\Users\user\Desktop\315800_Invoice_confirmation.exe |
Code function: 0_2_00422D7B mov eax, dword ptr fs:[00000030h] |
0_2_00422D7B |
Source: C:\Users\user\Desktop\315800_Invoice_confirmation.exe |
Code function: 0_2_00421EDA mov eax, dword ptr fs:[00000030h] |
0_2_00421EDA |
Source: C:\Users\user\Desktop\315800_Invoice_confirmation.exe |
Code function: 0_2_00421E92 mov eax, dword ptr fs:[00000030h] |
0_2_00421E92 |
Source: C:\Users\user\Desktop\315800_Invoice_confirmation.exe |
Code function: 0_2_00421EA6 mov eax, dword ptr fs:[00000030h] |
0_2_00421EA6 |
Source: 315800_Invoice_confirmation.exe, 00000000.00000002.1263784785.0000000000CC0000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: 315800_Invoice_confirmation.exe, 00000000.00000002.1263784785.0000000000CC0000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: 315800_Invoice_confirmation.exe, 00000000.00000002.1263784785.0000000000CC0000.00000002.00000001.sdmp |
Binary or memory string: SProgram Managerl |
Source: 315800_Invoice_confirmation.exe, 00000000.00000002.1263784785.0000000000CC0000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd, |
Source: 315800_Invoice_confirmation.exe, 00000000.00000002.1263784785.0000000000CC0000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |