Analysis Report Scan_order.scr

Overview

General Information

Sample Name: Scan_order.scr (renamed file extension from scr to exe)
Analysis ID: 337854
MD5: 04be7ed51e345a56403df4657b376990
SHA1: 44f5fdf6902d114524afc110cd927f95f72903fa
SHA256: ab77af2c0fe4a39b3e2ec7b7450ef36999baf7c66316f4b3934d5a60e124d50c
Tags: GuLoaderRemcosRATscr

Most interesting Screenshot:
Errors
  • Sigma syntax error: Has an empty selector, Rule: Abusing Azure Browser SSO

Detection

Remcos GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Yara detected GuLoader
Connects to many ports of the same IP (likely port scanning)
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Compliance:

barindex
Uses 32bit PE files
Source: Scan_order.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 172.217.23.1:443 -> 192.168.2.3:49754 version: TLS 1.2

Networking:

barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 185.157.161.61 ports 0,2,52360,3,5,6
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49755 -> 185.157.161.61:52360
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 172.217.23.1 172.217.23.1
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OBE-EUROPEObenetworkEuropeSE OBE-EUROPEObenetworkEuropeSE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown DNS traffic detected: queries for: doc-0c-8c-docs.googleusercontent.com
Source: ieinstal.exe String found in binary or memory: https://drive.google.com/uc?export=download&id=1LZsqqMCLui4uAjpAqMIbGbmi-9F8VM3f
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown HTTPS traffic detected: 172.217.23.1:443 -> 192.168.2.3:49754 version: TLS 1.2

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000000.204159990.000000000040A000.00000020.00020000.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000000.00000002.595879092.000000000040A000.00000020.00020000.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Scan_order.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Scan_order.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C5B11 NtProtectVirtualMemory, 0_2_021C5B11
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C29E9 NtWriteVirtualMemory,Sleep, 0_2_021C29E9
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C5F53 NtResumeThread, 0_2_021C5F53
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C0549 EnumWindows,NtSetInformationThread, 0_2_021C0549
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C6205 NtResumeThread, 0_2_021C6205
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C2AB9 NtWriteVirtualMemory, 0_2_021C2AB9
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C5AA6 NtProtectVirtualMemory, 0_2_021C5AA6
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C231C NtWriteVirtualMemory, 0_2_021C231C
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C236C NtWriteVirtualMemory, 0_2_021C236C
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C2369 NtWriteVirtualMemory, 0_2_021C2369
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C2390 NtWriteVirtualMemory, 0_2_021C2390
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C23C9 NtWriteVirtualMemory, 0_2_021C23C9
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C23F9 NtWriteVirtualMemory, 0_2_021C23F9
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C6001 NtResumeThread, 0_2_021C6001
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C6031 NtResumeThread, 0_2_021C6031
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C602D NtResumeThread, 0_2_021C602D
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C1021 NtWriteVirtualMemory, 0_2_021C1021
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C604A NtResumeThread, 0_2_021C604A
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C6065 NtResumeThread, 0_2_021C6065
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C6091 NtResumeThread, 0_2_021C6091
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C60BD NtResumeThread, 0_2_021C60BD
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C60D9 NtResumeThread, 0_2_021C60D9
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C6135 NtResumeThread, 0_2_021C6135
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C6129 NtResumeThread, 0_2_021C6129
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C6177 NtResumeThread, 0_2_021C6177
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C6160 NtResumeThread, 0_2_021C6160
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C6198 NtResumeThread, 0_2_021C6198
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C61BD NtResumeThread, 0_2_021C61BD
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C51CF NtWriteVirtualMemory, 0_2_021C51CF
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C61C5 NtResumeThread, 0_2_021C61C5
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C61F1 NtResumeThread, 0_2_021C61F1
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C0614 NtSetInformationThread, 0_2_021C0614
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C063D NtSetInformationThread, 0_2_021C063D
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C1E2D NtWriteVirtualMemory, 0_2_021C1E2D
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C26A7 NtWriteVirtualMemory, 0_2_021C26A7
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C26D4 NtWriteVirtualMemory, 0_2_021C26D4
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C272D NtWriteVirtualMemory, 0_2_021C272D
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C274B NtWriteVirtualMemory, 0_2_021C274B
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C5F68 NtResumeThread, 0_2_021C5F68
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C5F93 NtResumeThread, 0_2_021C5F93
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C5FB9 NtResumeThread, 0_2_021C5FB9
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C5FA9 NtResumeThread, 0_2_021C5FA9
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C5FAB NtResumeThread, 0_2_021C5FAB
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C5FC1 NtResumeThread, 0_2_021C5FC1
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C5FC3 NtResumeThread, 0_2_021C5FC3
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C5FED NtResumeThread, 0_2_021C5FED
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C5FEF NtResumeThread, 0_2_021C5FEF
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C241D NtWriteVirtualMemory, 0_2_021C241D
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C2461 NtWriteVirtualMemory, 0_2_021C2461
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C2495 NtWriteVirtualMemory, 0_2_021C2495
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C24BE NtWriteVirtualMemory, 0_2_021C24BE
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C2CC8 NtWriteVirtualMemory, 0_2_021C2CC8
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C2514 NtWriteVirtualMemory, 0_2_021C2514
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C550F NtWriteVirtualMemory,LoadLibraryA, 0_2_021C550F
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C253D NtWriteVirtualMemory, 0_2_021C253D
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C2539 NtWriteVirtualMemory, 0_2_021C2539
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C05B5 NtSetInformationThread, 0_2_021C05B5
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C25A9 NtWriteVirtualMemory, 0_2_021C25A9
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C25AB NtWriteVirtualMemory, 0_2_021C25AB
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C05D9 NtSetInformationThread, 0_2_021C05D9
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C25F7 NtWriteVirtualMemory, 0_2_021C25F7
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C35E9 NtSetInformationThread, 0_2_021C35E9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 25_2_032D5B11 NtProtectVirtualMemory, 25_2_032D5B11
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 25_2_032D5AA6 NtProtectVirtualMemory, 25_2_032D5AA6
Detected potential crypto function
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_004027ED 0_2_004027ED
Sample file is different than original file name gathered from version info
Source: Scan_order.exe, 00000000.00000002.595931964.0000000000412000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameUNFUGI.exe vs Scan_order.exe
Source: Scan_order.exe Binary or memory string: OriginalFilenameUNFUGI.exe vs Scan_order.exe
Uses 32bit PE files
Source: Scan_order.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 00000000.00000000.204159990.000000000040A000.00000020.00020000.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.595879092.000000000040A000.00000020.00020000.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/2@2/2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File created: C:\Users\user\AppData\Roaming\remcos Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Mutant created: \Sessions\1\BaseNamedObjects\Remcos-DPTVOE
Source: C:\Users\user\Desktop\Scan_order.exe File created: C:\Users\user\AppData\Local\Temp\~DFFCC5FEF3BD8D5BCE.TMP Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\uninstall.vbs'
Source: Scan_order.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Scan_order.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Scan_order.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Scan_order.exe 'C:\Users\user\Desktop\Scan_order.exe'
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\Scan_order.exe'
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\Scan_order.exe'
Source: unknown Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\uninstall.vbs'
Source: C:\Users\user\Desktop\Scan_order.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\Scan_order.exe' Jump to behavior
Source: C:\Users\user\Desktop\Scan_order.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\Scan_order.exe' Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\uninstall.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ieinstal.exe PID: 6128, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: Scan_order.exe PID: 5260, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_0040481C push ebx; ret 0_2_0040481D
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_00408422 push ecx; retf 0_2_00408423
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_0040403A push eax; ret 0_2_0040403B
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_004054C9 push esp; iretd 0_2_0040555C
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_00408C9A push ecx; retf 0_2_00408CAF
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_0040414A push ECE29E81h; ret 0_2_0040414F
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_0040416C push EDC16208h; ret 0_2_00404173
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_00408504 push eax; ret 0_2_00408527
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_00406D10 push ebx; ret 0_2_00406D11
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_00406A43 push esp; iretd 0_2_00406A44
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_00406647 push edx; retn 0006h 0_2_00406648
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_00402AF4 push cs; iretd 0_2_00402AF5
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_004086FD push 6DCDEB08h; retf 0_2_0040872B
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_004082A2 push ecx; retf 0_2_00408303
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_00405AB6 push A8FAEB08h; iretd 0_2_00405ABB
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_0040830C push ecx; retf 0_2_00408303
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_00408B2A push ecx; retf 0_2_00408B5F
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_00405FCA push eax; retf 0_2_00405FCB
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_0040CFAE pushfd ; iretd 0_2_0040CFCD
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C4AA1 push 89F538D8h; ret 0_2_021C4AB4
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C4AE9 push 89F538D8h; ret 0_2_021C4AB4
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C3BF8 push cs; retf 0_2_021C3BF9
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C13F7 push 38C2EBD8h; retf 0_2_021C1408
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C46DF push 85C2EBD8h; retf 0_2_021C46F0
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C57B9 push eax; ret 0_2_021C57D5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 25_2_032D3737 push DDE8C938h; iretd 25_2_032D373C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 25_2_032D57B9 push eax; ret 25_2_032D57D5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 25_2_032D4AA1 push 89F538D8h; ret 25_2_032D4AB4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 25_2_032D4AE9 push 89F538D8h; ret 25_2_032D4AB4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 25_2_032D46DF push 85C2EBD8h; retf 25_2_032D46F0

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\Scan_order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan_order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan_order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C1E2D NtWriteVirtualMemory, 0_2_021C1E2D
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\Scan_order.exe RDTSC instruction interceptor: First address: 00000000021C06BD second address: 00000000021C06BD instructions:
Source: C:\Users\user\Desktop\Scan_order.exe RDTSC instruction interceptor: First address: 00000000021C35DA second address: 00000000021C35DA instructions:
Source: C:\Users\user\Desktop\Scan_order.exe RDTSC instruction interceptor: First address: 00000000021C603E second address: 00000000021C603E instructions:
Tries to detect Any.run
Source: C:\Users\user\Desktop\Scan_order.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\Scan_order.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Scan_order.exe, ieinstal.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Scan_order.exe RDTSC instruction interceptor: First address: 00000000021C06BD second address: 00000000021C06BD instructions:
Source: C:\Users\user\Desktop\Scan_order.exe RDTSC instruction interceptor: First address: 00000000021C35DA second address: 00000000021C35DA instructions:
Source: C:\Users\user\Desktop\Scan_order.exe RDTSC instruction interceptor: First address: 00000000021C603E second address: 00000000021C603E instructions:
Contains capabilities to detect virtual machines
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C29E9 rdtsc 0_2_021C29E9
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 3636 Thread sleep count: 252 > 30 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 3636 Thread sleep time: -2520000s >= -30000s Jump to behavior
Source: Scan_order.exe, ieinstal.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C0549 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000051,?,?,0000FFFF,? 0_2_021C0549
Hides threads from debuggers
Source: C:\Users\user\Desktop\Scan_order.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Scan_order.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C29E9 rdtsc 0_2_021C29E9
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C36F0 LdrInitializeThunk, 0_2_021C36F0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_004027ED mov ebx, dword ptr fs:[00000030h] 0_2_004027ED
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C2B29 mov eax, dword ptr fs:[00000030h] 0_2_021C2B29
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C1E2D mov eax, dword ptr fs:[00000030h] 0_2_021C1E2D
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C1E40 mov eax, dword ptr fs:[00000030h] 0_2_021C1E40
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C1E7D mov eax, dword ptr fs:[00000030h] 0_2_021C1E7D
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C16EC mov eax, dword ptr fs:[00000030h] 0_2_021C16EC
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C4F5A mov eax, dword ptr fs:[00000030h] 0_2_021C4F5A
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C4F51 mov eax, dword ptr fs:[00000030h] 0_2_021C4F51
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C4F60 mov eax, dword ptr fs:[00000030h] 0_2_021C4F60
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C1C19 mov eax, dword ptr fs:[00000030h] 0_2_021C1C19
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C1C0A mov eax, dword ptr fs:[00000030h] 0_2_021C1C0A
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C550F mov eax, dword ptr fs:[00000030h] 0_2_021C550F
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C550B mov eax, dword ptr fs:[00000030h] 0_2_021C550B
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C5536 mov eax, dword ptr fs:[00000030h] 0_2_021C5536
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C5524 mov eax, dword ptr fs:[00000030h] 0_2_021C5524
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C4558 mov eax, dword ptr fs:[00000030h] 0_2_021C4558
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C557D mov eax, dword ptr fs:[00000030h] 0_2_021C557D
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C5581 mov eax, dword ptr fs:[00000030h] 0_2_021C5581
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C55A9 mov eax, dword ptr fs:[00000030h] 0_2_021C55A9
Source: C:\Users\user\Desktop\Scan_order.exe Code function: 0_2_021C55CD mov eax, dword ptr fs:[00000030h] 0_2_021C55CD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 25_2_032D2B15 mov eax, dword ptr fs:[00000030h] 25_2_032D2B15
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 25_2_032D4F60 mov eax, dword ptr fs:[00000030h] 25_2_032D4F60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 25_2_032D4F5A mov eax, dword ptr fs:[00000030h] 25_2_032D4F5A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 25_2_032D4F51 mov eax, dword ptr fs:[00000030h] 25_2_032D4F51
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 25_2_032D5524 mov eax, dword ptr fs:[00000030h] 25_2_032D5524
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 25_2_032D5536 mov eax, dword ptr fs:[00000030h] 25_2_032D5536
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 25_2_032D550F mov eax, dword ptr fs:[00000030h] 25_2_032D550F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 25_2_032D550B mov eax, dword ptr fs:[00000030h] 25_2_032D550B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 25_2_032D557D mov eax, dword ptr fs:[00000030h] 25_2_032D557D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 25_2_032D4558 mov eax, dword ptr fs:[00000030h] 25_2_032D4558
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 25_2_032D55A9 mov eax, dword ptr fs:[00000030h] 25_2_032D55A9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 25_2_032D5581 mov eax, dword ptr fs:[00000030h] 25_2_032D5581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 25_2_032D55CD mov eax, dword ptr fs:[00000030h] 25_2_032D55CD

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Scan_order.exe Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 32D0000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Scan_order.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\Scan_order.exe' Jump to behavior
Source: C:\Users\user\Desktop\Scan_order.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\Scan_order.exe' Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\uninstall.vbs' Jump to behavior
Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmp Binary or memory string: Program Manager[|
Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmp Binary or memory string: Program Manager
Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmp Binary or memory string: Program Managerros\logs.dat|
Source: logs.dat.25.dr Binary or memory string: [ Program Manager ]
Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmp Binary or memory string: Program Manager0|
Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmp Binary or memory string: Program Managerr|
Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmp Binary or memory string: |Program Manager
Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmp Binary or memory string: Program Manager StartedL
Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmp Binary or memory string: Program Manager Starteder8
Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmp Binary or memory string: |Program Managering\remcos\logs.dT
Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmp Binary or memory string: |Program Manager|
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 337854 Sample: Scan_order.scr Startdate: 11/01/2021 Architecture: WINDOWS Score: 100 27 Malicious sample detected (through community Yara rule) 2->27 29 Yara detected GuLoader 2->29 31 Sigma detected: Remcos 2->31 33 4 other signatures 2->33 7 Scan_order.exe 1 2->7         started        process3 signatures4 35 Contains functionality to detect hardware virtualization (CPUID execution measurement) 7->35 37 Writes to foreign memory regions 7->37 39 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 7->39 41 4 other signatures 7->41 10 ieinstal.exe 5 11 7->10         started        15 ieinstal.exe 7->15         started        process5 dnsIp6 21 wealthyblessed.myddns.rocks 185.157.161.61, 49755, 52360 OBE-EUROPEObenetworkEuropeSE Sweden 10->21 23 googlehosted.l.googleusercontent.com 172.217.23.1, 443, 49754 GOOGLEUS United States 10->23 25 doc-0c-8c-docs.googleusercontent.com 10->25 19 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 10->19 dropped 43 Tries to detect Any.run 10->43 45 Hides threads from debuggers 10->45 17 wscript.exe 10->17         started        file7 signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.217.23.1
 unknown United States
15169 GOOGLEUS false
185.157.161.61
 unknown Sweden
197595 OBE-EUROPEObenetworkEuropeSE true

Contacted Domains

Name IP Active
wealthyblessed.myddns.rocks 185.157.161.61 true
googlehosted.l.googleusercontent.com 172.217.23.1 true
doc-0c-8c-docs.googleusercontent.com unknown unknown