Source: JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Virustotal: Detection: 12% |
Perma Link |
Source: JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: initial sample |
Static PE information: Filename: JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_00402F88 |
0_2_00402F88 |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_02295E33 |
0_2_02295E33 |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_0229626A |
0_2_0229626A |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_02290252 |
0_2_02290252 |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_02295ECB |
0_2_02295ECB |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_02295AD9 |
0_2_02295AD9 |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_02295F31 |
0_2_02295F31 |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_02296705 |
0_2_02296705 |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_022957BD |
0_2_022957BD |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_02296395 |
0_2_02296395 |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_0229841D |
0_2_0229841D |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_0229244E |
0_2_0229244E |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_02295C81 |
0_2_02295C81 |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_02295D2A |
0_2_02295D2A |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_0229613B |
0_2_0229613B |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_02296509 |
0_2_02296509 |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_02293519 |
0_2_02293519 |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_02290162 |
0_2_02290162 |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_02293567 |
0_2_02293567 |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_022959BC |
0_2_022959BC |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_02293589 |
0_2_02293589 |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_0229358D |
0_2_0229358D |
Source: JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe, 00000000.00000002.1737310362.0000000000416000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameFricandelle1.exe vs JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Source: JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe, 00000000.00000002.1738227034.00000000021D0000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Source: JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Binary or memory string: OriginalFilenameFricandelle1.exe vs JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Source: JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal84.troj.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
File created: C:\Users\user\AppData\Local\Temp\~DFA618075B7A804723.TMP |
Jump to behavior |
Source: JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Virustotal: Detection: 12% |
Source: Yara match |
File source: Process Memory Space: JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe PID: 5136, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe PID: 5136, type: MEMORY |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_0040787B push C3C31A0Bh; ret |
0_2_00407880 |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_0040A14E push ss; iretd |
0_2_0040A14F |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_0040AA56 push 4E927E2Fh; ret |
0_2_0040AA5C |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_0040C333 push edi; retf |
0_2_0040C334 |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_00408F90 push FFFFFFABh; iretd |
0_2_00408F9F |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_022950AC push ss; retf |
0_2_022950AE |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_02294546 push esi; ret |
0_2_02294575 |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_0229519D push eax; iretd |
0_2_022951A6 |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_02297644 |
0_2_02297644 |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
System information queried: CurrentTimeZoneInformation |
Jump to behavior |
Source: JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
RDTSC instruction interceptor: First address: 0000000002293853 second address: 0000000002293853 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FC5C8C91CE8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e push di 0x00000020 mov di, FE52h 0x00000024 pop di 0x00000026 add edi, edx 0x00000028 jmp 00007FC5C8C91CDEh 0x0000002a cmp ebx, 8E3A430Eh 0x00000030 dec ecx 0x00000031 cmp ecx, 00000000h 0x00000034 jne 00007FC5C8C91C65h 0x00000036 push ecx 0x00000037 cmp eax, ecx 0x00000039 call 00007FC5C8C91D07h 0x0000003e call 00007FC5C8C91CF8h 0x00000043 lfence 0x00000046 mov edx, dword ptr [7FFE0014h] 0x0000004c lfence 0x0000004f ret 0x00000050 mov esi, edx 0x00000052 pushad 0x00000053 rdtsc |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_0229322E rdtsc |
0_2_0229322E |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_0229322E rdtsc |
0_2_0229322E |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_02293653 mov eax, dword ptr fs:[00000030h] |
0_2_02293653 |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_02296AA6 mov eax, dword ptr fs:[00000030h] |
0_2_02296AA6 |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_022922CB mov eax, dword ptr fs:[00000030h] |
0_2_022922CB |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_022922D7 mov eax, dword ptr fs:[00000030h] |
0_2_022922D7 |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_02291C0A mov eax, dword ptr fs:[00000030h] |
0_2_02291C0A |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_022960A4 mov eax, dword ptr fs:[00000030h] |
0_2_022960A4 |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_022960A6 mov eax, dword ptr fs:[00000030h] |
0_2_022960A6 |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_022925AB mov eax, dword ptr fs:[00000030h] |
0_2_022925AB |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_022925BD mov eax, dword ptr fs:[00000030h] |
0_2_022925BD |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe, 00000000.00000002.1738036580.0000000000D60000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe, 00000000.00000002.1738036580.0000000000D60000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe, 00000000.00000002.1738036580.0000000000D60000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe, 00000000.00000002.1738036580.0000000000D60000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Users\user\Desktop\JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe |
Code function: 0_2_022928F4 cpuid |
0_2_022928F4 |