Loading ...

Play interactive tourEdit tour

Analysis Report Proof of payment.exe

Overview

General Information

Sample Name:Proof of payment.exe
Analysis ID:338405
MD5:606275919e922f6a1f639c42f8e2580c
SHA1:32d9ef9a02da8cf64594608c61bb7adc7b397703
SHA256:94644b63a2f087324bcbab6b789ec015939cee82844f788987835837f57d0acc
Tags:exeGuLoader

Most interesting Screenshot:

Detection

GuLoader
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • Proof of payment.exe (PID: 5352 cmdline: 'C:\Users\user\Desktop\Proof of payment.exe' MD5: 606275919E922F6A1F639C42F8E2580C)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: Proof of payment.exe PID: 5352JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
    Process Memory Space: Proof of payment.exe PID: 5352JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results
      Source: Proof of payment.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

      System Summary:

      barindex
      Executable has a suspicious name (potential lure to open the executable)Show sources
      Source: Proof of payment.exeStatic file information: Suspicious name
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: Proof of payment.exe
      Source: C:\Users\user\Desktop\Proof of payment.exeProcess Stats: CPU usage > 98%
      Source: Proof of payment.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Proof of payment.exe, 00000000.00000002.1288564482.0000000002250000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Proof of payment.exe
      Source: Proof of payment.exe, 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUNDERWOOD.exe vs Proof of payment.exe
      Source: Proof of payment.exeBinary or memory string: OriginalFilenameUNDERWOOD.exe vs Proof of payment.exe
      Source: Proof of payment.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: classification engineClassification label: mal76.troj.evad.winEXE@1/0@0/0
      Source: C:\Users\user\Desktop\Proof of payment.exeFile created: C:\Users\user\AppData\Local\Temp\~DF1BAB6DD5B79524A4.TMPJump to behavior
      Source: Proof of payment.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Proof of payment.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\Proof of payment.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: Proof of payment.exe PID: 5352, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: Proof of payment.exe PID: 5352, type: MEMORY
      Source: C:\Users\user\Desktop\Proof of payment.exeCode function: 0_2_00402CAE push edx; retf 0_2_00402CAF
      Source: C:\Users\user\Desktop\Proof of payment.exeCode function: 0_2_004059F9 push FFFFFFC2h; ret 0_2_00405A30
      Source: C:\Users\user\Desktop\Proof of payment.exeCode function: 0_2_0040460F push esi; iretd 0_2_00404613
      Source: C:\Users\user\Desktop\Proof of payment.exeCode function: 0_2_004077E4 push es; ret 0_2_004077F7
      Source: C:\Users\user\Desktop\Proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Users\user\Desktop\Proof of payment.exeCode function: 0_2_004F284A 0_2_004F284A
      Source: C:\Users\user\Desktop\Proof of payment.exeCode function: 0_2_004F0C5C 0_2_004F0C5C
      Source: C:\Users\user\Desktop\Proof of payment.exeCode function: 0_2_004F1948 0_2_004F1948
      Source: C:\Users\user\Desktop\Proof of payment.exeCode function: 0_2_004F2966 0_2_004F2966
      Source: C:\Users\user\Desktop\Proof of payment.exeCode function: 0_2_004F0D06 0_2_004F0D06
      Source: C:\Users\user\Desktop\Proof of payment.exeCode function: 0_2_004F2642 0_2_004F2642
      Source: C:\Users\user\Desktop\Proof of payment.exeCode function: 0_2_004F262E 0_2_004F262E
      Source: C:\Users\user\Desktop\Proof of payment.exeCode function: 0_2_004F53D3 0_2_004F53D3
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\user\Desktop\Proof of payment.exeRDTSC instruction interceptor: First address: 00000000004F6062 second address: 00000000004F6062 instructions:
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: Proof of payment.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\Proof of payment.exeRDTSC instruction interceptor: First address: 00000000004F6062 second address: 00000000004F6062 instructions:
      Source: C:\Users\user\Desktop\Proof of payment.exeRDTSC instruction interceptor: First address: 00000000004F53F1 second address: 00000000004F54D3 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test bh, dh 0x0000000d xor edi, edi 0x0000000f cmp bx, dx 0x00000012 mov dword ptr [ebp+000000F8h], 00A95F60h 0x0000001c cmp bh, ah 0x0000001e push edi 0x0000001f jmp 00007F6314B6B4DDh 0x00000021 call 00007F6314B6B469h 0x00000026 pop edi 0x00000027 jmp edi 0x00000029 pop edi 0x0000002a pushad 0x0000002b mov dh, 46h 0x0000002d cmp dh, 00000046h 0x00000030 jne 00007F6314B6863Dh 0x00000036 popad 0x00000037 call 00007F6314B6B4EBh 0x0000003c call 00007F6314B6B4A8h 0x00000041 lfence 0x00000044 mov edx, dword ptr [7FFE0014h] 0x0000004a lfence 0x0000004d ret 0x0000004e mov esi, edx 0x00000050 pushad 0x00000051 rdtsc
      Source: C:\Users\user\Desktop\Proof of payment.exeRDTSC instruction interceptor: First address: 00000000004F54D3 second address: 00000000004F54D3 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F6314B667A8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp bl, FFFFFFAAh 0x00000020 cmp ax, bx 0x00000023 jmp 00007F6314B667BAh 0x00000025 test ecx, 2977CC05h 0x0000002b add edi, edx 0x0000002d cmp dl, dl 0x0000002f dec dword ptr [ebp+000000F8h] 0x00000035 test ah, dh 0x00000037 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000003e jne 00007F6314B66701h 0x00000044 push edi 0x00000045 jmp 00007F6314B667EDh 0x00000047 call 00007F6314B66779h 0x0000004c pop edi 0x0000004d jmp edi 0x0000004f pop edi 0x00000050 pushad 0x00000051 mov dh, 46h 0x00000053 cmp dh, 00000046h 0x00000056 jne 00007F6314B6394Dh 0x0000005c popad 0x0000005d call 00007F6314B667FBh 0x00000062 call 00007F6314B667B8h 0x00000067 lfence 0x0000006a mov edx, dword ptr [7FFE0014h] 0x00000070 lfence 0x00000073 ret 0x00000074 mov esi, edx 0x00000076 pushad 0x00000077 rdtsc
      Source: C:\Users\user\Desktop\Proof of payment.exeCode function: 0_2_004F284A rdtsc 0_2_004F284A
      Source: Proof of payment.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\Proof of payment.exeCode function: 0_2_004F284A rdtsc 0_2_004F284A
      Source: C:\Users\user\Desktop\Proof of payment.exeCode function: 0_2_004F205F mov eax, dword ptr fs:[00000030h]0_2_004F205F
      Source: C:\Users\user\Desktop\Proof of payment.exeCode function: 0_2_004F4CD5 mov eax, dword ptr fs:[00000030h]0_2_004F4CD5
      Source: C:\Users\user\Desktop\Proof of payment.exeCode function: 0_2_004F208E mov eax, dword ptr fs:[00000030h]0_2_004F208E
      Source: C:\Users\user\Desktop\Proof of payment.exeCode function: 0_2_004F1948 mov eax, dword ptr fs:[00000030h]0_2_004F1948
      Source: C:\Users\user\Desktop\Proof of payment.exeCode function: 0_2_004F2DCB mov eax, dword ptr fs:[00000030h]0_2_004F2DCB
      Source: C:\Users\user\Desktop\Proof of payment.exeCode function: 0_2_004F519B mov eax, dword ptr fs:[00000030h]0_2_004F519B
      Source: Proof of payment.exe, 00000000.00000002.1288156600.0000000000D90000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: Proof of payment.exe, 00000000.00000002.1288156600.0000000000D90000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: Proof of payment.exe, 00000000.00000002.1288156600.0000000000D90000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: Proof of payment.exe, 00000000.00000002.1288156600.0000000000D90000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\Proof of payment.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Proof of payment.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Proof of payment.exeQueries volume information: C:\ VolumeInformationJump to behavior

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Process Injection1OS Credential DumpingSecurity Software Discovery411Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsObfuscated Files or Information1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerSystem Information Discovery311SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.