Source: 15790_Invoice_confirmation.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: 15790_Invoice_confirmation.exe, 00000000.00000002.1389175473.00000000006CA000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: initial sample |
Icon embedded in PE file: bad icon match: 20047c7c70f0e004 |
Source: 15790_Invoice_confirmation.exe |
Static file information: Suspicious name |
Source: initial sample |
Static PE information: Filename: 15790_Invoice_confirmation.exe |
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe |
Code function: 0_2_00401600 |
0_2_00401600 |
Source: 15790_Invoice_confirmation.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: 15790_Invoice_confirmation.exe, 00000000.00000002.1388743557.0000000000417000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameklist.exe vs 15790_Invoice_confirmation.exe |
Source: 15790_Invoice_confirmation.exe, 00000000.00000002.1389068575.0000000000600000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs 15790_Invoice_confirmation.exe |
Source: 15790_Invoice_confirmation.exe |
Binary or memory string: OriginalFilenameklist.exe vs 15790_Invoice_confirmation.exe |
Source: 15790_Invoice_confirmation.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal80.rans.troj.evad.winEXE@1/0@0/0 |
Source: 15790_Invoice_confirmation.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: Yara match |
File source: Process Memory Space: 15790_Invoice_confirmation.exe PID: 5668, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 15790_Invoice_confirmation.exe PID: 5668, type: MEMORY |
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe |
Code function: 0_2_00407878 push 6B7AF3E2h; ret |
0_2_004078A6 |
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe |
Code function: 0_2_0040A438 pushad ; retf |
0_2_0040A443 |
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe |
Code function: 0_2_0040903B push FFFFFFEBh; ret |
0_2_0040903F |
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe |
Code function: 0_2_004058D8 push ebx; iretd |
0_2_004058E9 |
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe |
Code function: 0_2_004058EB push ebx; iretd |
0_2_004058E9 |
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe |
Code function: 0_2_0040A4F9 push ebx; retf |
0_2_0040A570 |
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe |
Code function: 0_2_0040A572 push ebx; retf |
0_2_0040A570 |
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe |
Code function: 0_2_00407181 push FFFFFFEBh; ret |
0_2_00407183 |
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe |
Code function: 0_2_00407E5C pushfd ; ret |
0_2_00407E6D |
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe |
Code function: 0_2_00407EA9 pushfd ; ret |
0_2_00407E6D |
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe |
Code function: 0_2_0040775D push 6B7AF3E2h; ret |
0_2_004078A6 |
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe |
Code function: 0_2_0040A72F push esi; ret |
0_2_0040A732 |
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe |
Code function: 0_2_0040A7D2 push ebp; ret |
0_2_0040A7E2 |
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe |
Code function: 0_2_00635D00 push eax; ret |
0_2_00635D01 |
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe |
RDTSC instruction interceptor: First address: 000000000040433A second address: 000000000040433A instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 nop 0x00000004 dec esi 0x00000005 nop 0x00000006 nop 0x00000007 cmp esi, 00000000h 0x0000000a jne 00007F9CE8932DB6h 0x0000000c rdtsc |
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe |
RDTSC instruction interceptor: First address: 0000000000633264 second address: 0000000000633264 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F9CE8936B98h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 jmp 00007F9CE8936B9Eh 0x00000024 test bh, ah 0x00000026 dec ecx 0x00000027 cmp ecx, 00000000h 0x0000002a jne 00007F9CE8936B73h 0x0000002c push ecx 0x0000002d call 00007F9CE8936BDEh 0x00000032 call 00007F9CE8936BAAh 0x00000037 lfence 0x0000003a mov edx, dword ptr [7FFE0014h] 0x00000040 lfence 0x00000043 ret 0x00000044 mov esi, edx 0x00000046 pushad 0x00000047 rdtsc |
Source: 15790_Invoice_confirmation.exe |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe |
RDTSC instruction interceptor: First address: 000000000040433A second address: 000000000040433A instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 nop 0x00000004 dec esi 0x00000005 nop 0x00000006 nop 0x00000007 cmp esi, 00000000h 0x0000000a jne 00007F9CE8932DB6h 0x0000000c rdtsc |
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe |
RDTSC instruction interceptor: First address: 0000000000633264 second address: 0000000000633264 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F9CE8936B98h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 jmp 00007F9CE8936B9Eh 0x00000024 test bh, ah 0x00000026 dec ecx 0x00000027 cmp ecx, 00000000h 0x0000002a jne 00007F9CE8936B73h 0x0000002c push ecx 0x0000002d call 00007F9CE8936BDEh 0x00000032 call 00007F9CE8936BAAh 0x00000037 lfence 0x0000003a mov edx, dword ptr [7FFE0014h] 0x00000040 lfence 0x00000043 ret 0x00000044 mov esi, edx 0x00000046 pushad 0x00000047 rdtsc |
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe |
Code function: 0_2_0063347D rdtsc |
0_2_0063347D |
Source: 15790_Invoice_confirmation.exe |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe |
Code function: 0_2_0063347D rdtsc |
0_2_0063347D |
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe |
Code function: 0_2_0063507E mov eax, dword ptr fs:[00000030h] |
0_2_0063507E |
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe |
Code function: 0_2_00634C05 mov eax, dword ptr fs:[00000030h] |
0_2_00634C05 |
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe |
Code function: 0_2_006330D4 mov eax, dword ptr fs:[00000030h] |
0_2_006330D4 |
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe |
Code function: 0_2_00631CDD mov eax, dword ptr fs:[00000030h] |
0_2_00631CDD |
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe |
Code function: 0_2_00631D05 mov eax, dword ptr fs:[00000030h] |
0_2_00631D05 |
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe |
Code function: 0_2_0063171E mov eax, dword ptr fs:[00000030h] |
0_2_0063171E |
Source: 15790_Invoice_confirmation.exe, 00000000.00000002.1389313697.0000000000D50000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: 15790_Invoice_confirmation.exe, 00000000.00000002.1389313697.0000000000D50000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: 15790_Invoice_confirmation.exe, 00000000.00000002.1389313697.0000000000D50000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: 15790_Invoice_confirmation.exe, 00000000.00000002.1389313697.0000000000D50000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |