Loading ...

Play interactive tourEdit tour

Analysis Report Scan_order.scr

Overview

General Information

Sample Name:Scan_order.scr (renamed file extension from scr to exe)
Analysis ID:337854
MD5:04be7ed51e345a56403df4657b376990
SHA1:44f5fdf6902d114524afc110cd927f95f72903fa
SHA256:ab77af2c0fe4a39b3e2ec7b7450ef36999baf7c66316f4b3934d5a60e124d50c
Tags:GuLoaderRemcosRATscr

Most interesting Screenshot:

Errors
  • Sigma syntax error: Has an empty selector, Rule: Abusing Azure Browser SSO

Detection

Remcos GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Yara detected GuLoader
Connects to many ports of the same IP (likely port scanning)
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Scan_order.exe (PID: 5260 cmdline: 'C:\Users\user\Desktop\Scan_order.exe' MD5: 04BE7ED51E345A56403DF4657B376990)
    • ieinstal.exe (PID: 5468 cmdline: 'C:\Users\user\Desktop\Scan_order.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)
    • ieinstal.exe (PID: 6128 cmdline: 'C:\Users\user\Desktop\Scan_order.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)
      • wscript.exe (PID: 5776 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\uninstall.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000000.204159990.000000000040A000.00000020.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0xf40:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    00000000.00000002.595879092.000000000040A000.00000020.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0xf40:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
    Process Memory Space: ieinstal.exe PID: 6128JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
      Process Memory Space: Scan_order.exe PID: 5260JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: RemcosShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files (x86)\Internet Explorer\ieinstal.exe, ProcessId: 6128, TargetFilename: C:\Users\user\AppData\Roaming\remcos\logs.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results
        Source: Scan_order.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: unknownHTTPS traffic detected: 172.217.23.1:443 -> 192.168.2.3:49754 version: TLS 1.2

        Networking:

        barindex
        Connects to many ports of the same IP (likely port scanning)Show sources
        Source: global trafficTCP traffic: 185.157.161.61 ports 0,2,52360,3,5,6
        Source: global trafficTCP traffic: 192.168.2.3:49755 -> 185.157.161.61:52360
        Source: Joe Sandbox ViewIP Address: 172.217.23.1 172.217.23.1
        Source: Joe Sandbox ViewASN Name: OBE-EUROPEObenetworkEuropeSE OBE-EUROPEObenetworkEuropeSE
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: unknownDNS traffic detected: queries for: doc-0c-8c-docs.googleusercontent.com
        Source: ieinstal.exeString found in binary or memory: https://drive.google.com/uc?export=download&id=1LZsqqMCLui4uAjpAqMIbGbmi-9F8VM3f
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
        Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
        Source: unknownHTTPS traffic detected: 172.217.23.1:443 -> 192.168.2.3:49754 version: TLS 1.2

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000000.00000000.204159990.000000000040A000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
        Source: 00000000.00000002.595879092.000000000040A000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: Scan_order.exe
        Source: C:\Users\user\Desktop\Scan_order.exeProcess Stats: CPU usage > 98%
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C5B11 NtProtectVirtualMemory,0_2_021C5B11
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C29E9 NtWriteVirtualMemory,Sleep,0_2_021C29E9
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C5F53 NtResumeThread,0_2_021C5F53
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C0549 EnumWindows,NtSetInformationThread,0_2_021C0549
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C6205 NtResumeThread,0_2_021C6205
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C2AB9 NtWriteVirtualMemory,0_2_021C2AB9
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C5AA6 NtProtectVirtualMemory,0_2_021C5AA6
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C231C NtWriteVirtualMemory,0_2_021C231C
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C236C NtWriteVirtualMemory,0_2_021C236C
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C2369 NtWriteVirtualMemory,0_2_021C2369
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C2390 NtWriteVirtualMemory,0_2_021C2390
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C23C9 NtWriteVirtualMemory,0_2_021C23C9
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C23F9 NtWriteVirtualMemory,0_2_021C23F9
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C6001 NtResumeThread,0_2_021C6001
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C6031 NtResumeThread,0_2_021C6031
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C602D NtResumeThread,0_2_021C602D
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C1021 NtWriteVirtualMemory,0_2_021C1021
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C604A NtResumeThread,0_2_021C604A
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C6065 NtResumeThread,0_2_021C6065
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C6091 NtResumeThread,0_2_021C6091
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C60BD NtResumeThread,0_2_021C60BD
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C60D9 NtResumeThread,0_2_021C60D9
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C6135 NtResumeThread,0_2_021C6135
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C6129 NtResumeThread,0_2_021C6129
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C6177 NtResumeThread,0_2_021C6177
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C6160 NtResumeThread,0_2_021C6160
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C6198 NtResumeThread,0_2_021C6198
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C61BD NtResumeThread,0_2_021C61BD
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C51CF NtWriteVirtualMemory,0_2_021C51CF
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C61C5 NtResumeThread,0_2_021C61C5
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C61F1 NtResumeThread,0_2_021C61F1
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C0614 NtSetInformationThread,0_2_021C0614
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C063D NtSetInformationThread,0_2_021C063D
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C1E2D NtWriteVirtualMemory,0_2_021C1E2D
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C26A7 NtWriteVirtualMemory,0_2_021C26A7
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C26D4 NtWriteVirtualMemory,0_2_021C26D4
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C272D NtWriteVirtualMemory,0_2_021C272D
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C274B NtWriteVirtualMemory,0_2_021C274B
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C5F68 NtResumeThread,0_2_021C5F68
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C5F93 NtResumeThread,0_2_021C5F93
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C5FB9 NtResumeThread,0_2_021C5FB9
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C5FA9 NtResumeThread,0_2_021C5FA9
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C5FAB NtResumeThread,0_2_021C5FAB
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C5FC1 NtResumeThread,0_2_021C5FC1
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C5FC3 NtResumeThread,0_2_021C5FC3
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C5FED NtResumeThread,0_2_021C5FED
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C5FEF NtResumeThread,0_2_021C5FEF
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C241D NtWriteVirtualMemory,0_2_021C241D
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C2461 NtWriteVirtualMemory,0_2_021C2461
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C2495 NtWriteVirtualMemory,0_2_021C2495
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C24BE NtWriteVirtualMemory,0_2_021C24BE
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C2CC8 NtWriteVirtualMemory,0_2_021C2CC8
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C2514 NtWriteVirtualMemory,0_2_021C2514
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C550F NtWriteVirtualMemory,LoadLibraryA,0_2_021C550F
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C253D NtWriteVirtualMemory,0_2_021C253D
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C2539 NtWriteVirtualMemory,0_2_021C2539
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C05B5 NtSetInformationThread,0_2_021C05B5
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C25A9 NtWriteVirtualMemory,0_2_021C25A9
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C25AB NtWriteVirtualMemory,0_2_021C25AB
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C05D9 NtSetInformationThread,0_2_021C05D9
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C25F7 NtWriteVirtualMemory,0_2_021C25F7
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C35E9 NtSetInformationThread,0_2_021C35E9
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 25_2_032D5B11 NtProtectVirtualMemory,25_2_032D5B11
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 25_2_032D5AA6 NtProtectVirtualMemory,25_2_032D5AA6
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_004027ED0_2_004027ED
        Source: Scan_order.exe, 00000000.00000002.595931964.0000000000412000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUNFUGI.exe vs Scan_order.exe
        Source: Scan_order.exeBinary or memory string: OriginalFilenameUNFUGI.exe vs Scan_order.exe
        Source: Scan_order.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: 00000000.00000000.204159990.000000000040A000.00000020.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000000.00000002.595879092.000000000040A000.00000020.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: classification engineClassification label: mal100.troj.evad.winEXE@7/2@2/2
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile created: C:\Users\user\AppData\Roaming\remcosJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeMutant created: \Sessions\1\BaseNamedObjects\Remcos-DPTVOE
        Source: C:\Users\user\Desktop\Scan_order.exeFile created: C:\Users\user\AppData\Local\Temp\~DFFCC5FEF3BD8D5BCE.TMPJump to behavior
        Source: unknownProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\uninstall.vbs'
        Source: Scan_order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Scan_order.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\Scan_order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\Scan_order.exe 'C:\Users\user\Desktop\Scan_order.exe'
        Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\Scan_order.exe'
        Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\Scan_order.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\uninstall.vbs'
        Source: C:\Users\user\Desktop\Scan_order.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\Scan_order.exe' Jump to behavior
        Source: C:\Users\user\Desktop\Scan_order.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\Scan_order.exe' Jump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\uninstall.vbs' Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior

        Data Obfuscation:

        barindex
        Yara detected GuLoaderShow sources
        Source: Yara matchFile source: 00000019.00000002.689367509.00000000032D1000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: ieinstal.exe PID: 6128, type: MEMORY
        Yara detected VB6 Downloader GenericShow sources
        Source: Yara matchFile source: Process Memory Space: Scan_order.exe PID: 5260, type: MEMORY
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_0040481C push ebx; ret 0_2_0040481D
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_00408422 push ecx; retf 0_2_00408423
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_0040403A push eax; ret 0_2_0040403B
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_004054C9 push esp; iretd 0_2_0040555C
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_00408C9A push ecx; retf 0_2_00408CAF
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_0040414A push ECE29E81h; ret 0_2_0040414F
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_0040416C push EDC16208h; ret 0_2_00404173
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_00408504 push eax; ret 0_2_00408527
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_00406D10 push ebx; ret 0_2_00406D11
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_00406A43 push esp; iretd 0_2_00406A44
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_00406647 push edx; retn 0006h0_2_00406648
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_00402AF4 push cs; iretd 0_2_00402AF5
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_004086FD push 6DCDEB08h; retf 0_2_0040872B
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_004082A2 push ecx; retf 0_2_00408303
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_00405AB6 push A8FAEB08h; iretd 0_2_00405ABB
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_0040830C push ecx; retf 0_2_00408303
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_00408B2A push ecx; retf 0_2_00408B5F
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_00405FCA push eax; retf 0_2_00405FCB
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_0040CFAE pushfd ; iretd 0_2_0040CFCD
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C4AA1 push 89F538D8h; ret 0_2_021C4AB4
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C4AE9 push 89F538D8h; ret 0_2_021C4AB4
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C3BF8 push cs; retf 0_2_021C3BF9
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C13F7 push 38C2EBD8h; retf 0_2_021C1408
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C46DF push 85C2EBD8h; retf 0_2_021C46F0
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C57B9 push eax; ret 0_2_021C57D5
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 25_2_032D3737 push DDE8C938h; iretd 25_2_032D373C
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 25_2_032D57B9 push eax; ret 25_2_032D57D5
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 25_2_032D4AA1 push 89F538D8h; ret 25_2_032D4AB4
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 25_2_032D4AE9 push 89F538D8h; ret 25_2_032D4AB4
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 25_2_032D46DF push 85C2EBD8h; retf 25_2_032D46F0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
        Source: C:\Users\user\Desktop\Scan_order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Scan_order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Scan_order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C1E2D NtWriteVirtualMemory,0_2_021C1E2D
        Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
        Source: C:\Users\user\Desktop\Scan_order.exeRDTSC instruction interceptor: First address: 00000000021C06BD second address: 00000000021C06BD instructions:
        Source: C:\Users\user\Desktop\Scan_order.exeRDTSC instruction interceptor: First address: 00000000021C35DA second address: 00000000021C35DA instructions:
        Source: C:\Users\user\Desktop\Scan_order.exeRDTSC instruction interceptor: First address: 00000000021C603E second address: 00000000021C603E instructions:
        Tries to detect Any.runShow sources
        Source: C:\Users\user\Desktop\Scan_order.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
        Source: C:\Users\user\Desktop\Scan_order.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: Scan_order.exe, ieinstal.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
        Tries to detect virtualization through RDTSC time measurementsShow sources
        Source: C:\Users\user\Desktop\Scan_order.exeRDTSC instruction interceptor: First address: 00000000021C06BD second address: 00000000021C06BD instructions:
        Source: C:\Users\user\Desktop\Scan_order.exeRDTSC instruction interceptor: First address: 00000000021C35DA second address: 00000000021C35DA instructions:
        Source: C:\Users\user\Desktop\Scan_order.exeRDTSC instruction interceptor: First address: 00000000021C603E second address: 00000000021C603E instructions:
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C29E9 rdtsc 0_2_021C29E9
        Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 3636Thread sleep count: 252 > 30Jump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 3636Thread sleep time: -2520000s >= -30000sJump to behavior
        Source: Scan_order.exe, ieinstal.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

        Anti Debugging:

        barindex
        Contains functionality to hide a thread from the debuggerShow sources
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C0549 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000051,?,?,0000FFFF,?0_2_021C0549
        Hides threads from debuggersShow sources
        Source: C:\Users\user\Desktop\Scan_order.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Users\user\Desktop\Scan_order.exeProcess queried: DebugPortJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess queried: DebugPortJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C29E9 rdtsc 0_2_021C29E9
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C36F0 LdrInitializeThunk,0_2_021C36F0
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_004027ED mov ebx, dword ptr fs:[00000030h]0_2_004027ED
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C2B29 mov eax, dword ptr fs:[00000030h]0_2_021C2B29
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C1E2D mov eax, dword ptr fs:[00000030h]0_2_021C1E2D
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C1E40 mov eax, dword ptr fs:[00000030h]0_2_021C1E40
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C1E7D mov eax, dword ptr fs:[00000030h]0_2_021C1E7D
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C16EC mov eax, dword ptr fs:[00000030h]0_2_021C16EC
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C4F5A mov eax, dword ptr fs:[00000030h]0_2_021C4F5A
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C4F51 mov eax, dword ptr fs:[00000030h]0_2_021C4F51
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C4F60 mov eax, dword ptr fs:[00000030h]0_2_021C4F60
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C1C19 mov eax, dword ptr fs:[00000030h]0_2_021C1C19
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C1C0A mov eax, dword ptr fs:[00000030h]0_2_021C1C0A
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C550F mov eax, dword ptr fs:[00000030h]0_2_021C550F
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C550B mov eax, dword ptr fs:[00000030h]0_2_021C550B
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C5536 mov eax, dword ptr fs:[00000030h]0_2_021C5536
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C5524 mov eax, dword ptr fs:[00000030h]0_2_021C5524
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C4558 mov eax, dword ptr fs:[00000030h]0_2_021C4558
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C557D mov eax, dword ptr fs:[00000030h]0_2_021C557D
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C5581 mov eax, dword ptr fs:[00000030h]0_2_021C5581
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C55A9 mov eax, dword ptr fs:[00000030h]0_2_021C55A9
        Source: C:\Users\user\Desktop\Scan_order.exeCode function: 0_2_021C55CD mov eax, dword ptr fs:[00000030h]0_2_021C55CD
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 25_2_032D2B15 mov eax, dword ptr fs:[00000030h]25_2_032D2B15
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 25_2_032D4F60 mov eax, dword ptr fs:[00000030h]25_2_032D4F60
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 25_2_032D4F5A mov eax, dword ptr fs:[00000030h]25_2_032D4F5A
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 25_2_032D4F51 mov eax, dword ptr fs:[00000030h]25_2_032D4F51
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 25_2_032D5524 mov eax, dword ptr fs:[00000030h]25_2_032D5524
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 25_2_032D5536 mov eax, dword ptr fs:[00000030h]25_2_032D5536
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 25_2_032D550F mov eax, dword ptr fs:[00000030h]25_2_032D550F
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 25_2_032D550B mov eax, dword ptr fs:[00000030h]25_2_032D550B
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 25_2_032D557D mov eax, dword ptr fs:[00000030h]25_2_032D557D
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 25_2_032D4558 mov eax, dword ptr fs:[00000030h]25_2_032D4558
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 25_2_032D55A9 mov eax, dword ptr fs:[00000030h]25_2_032D55A9
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 25_2_032D5581 mov eax, dword ptr fs:[00000030h]25_2_032D5581
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 25_2_032D55CD mov eax, dword ptr fs:[00000030h]25_2_032D55CD

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Writes to foreign memory regionsShow sources
        Source: C:\Users\user\Desktop\Scan_order.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 32D0000Jump to behavior
        Source: C:\Users\user\Desktop\Scan_order.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\Scan_order.exe' Jump to behavior
        Source: C:\Users\user\Desktop\Scan_order.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\Scan_order.exe' Jump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\uninstall.vbs' Jump to behavior
        Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmpBinary or memory string: Program Manager[|
        Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmpBinary or memory string: Program Manager
        Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmpBinary or memory string: Program Managerros\logs.dat|
        Source: logs.dat.25.drBinary or memory string: [ Program Manager ]
        Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmpBinary or memory string: Program Manager0|
        Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmpBinary or memory string: Program Managerr|
        Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmpBinary or memory string: |Program Manager
        Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmpBinary or memory string: Program Manager StartedL
        Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmpBinary or memory string: Program Manager Starteder8
        Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmpBinary or memory string: |Program Managering\remcos\logs.dT
        Source: ieinstal.exe, 00000019.00000002.689708466.0000000003867000.00000004.00000040.sdmpBinary or memory string: |Program Manager|
        Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsScripting11Path InterceptionProcess Injection112Masquerading1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion23LSASS MemorySecurity Software Discovery731Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection112Security Account ManagerVirtualization/Sandbox Evasion23SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting11NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery32Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.