Analysis Report URGENT MEDICAL REQUIREMENT.exe

Overview

General Information

Sample Name: URGENT MEDICAL REQUIREMENT.exe
Analysis ID: 339333
MD5: 8272ecc1672ecb390cdedb27df85b20d
SHA1: a77c9fc2b255398f53d28f6e67633c62a0143fa5
SHA256: 1a4407fd45881091495f927612c7be23ab6de71949e4192cdc58154986d2c827
Tags: exeGuLoader

Most interesting Screenshot:

Detection

GuLoader
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Potential time zone aware malware
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: URGENT MEDICAL REQUIREMENT.exe Virustotal: Detection: 24% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: URGENT MEDICAL REQUIREMENT.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_00422C4B 0_2_00422C4B
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_0042206B 0_2_0042206B
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_0042526F 0_2_0042526F
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_00421677 0_2_00421677
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_0042287B 0_2_0042287B
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_00422600 0_2_00422600
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_00426613 0_2_00426613
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_00425217 0_2_00425217
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_00427A2B 0_2_00427A2B
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_00422437 0_2_00422437
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_00427634 0_2_00427634
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_004252C0 0_2_004252C0
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_004276D7 0_2_004276D7
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_004222F7 0_2_004222F7
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_00425AFF 0_2_00425AFF
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_00422E83 0_2_00422E83
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_00427688 0_2_00427688
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_004254A3 0_2_004254A3
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_0042274B 0_2_0042274B
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_00422F5F 0_2_00422F5F
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_0042335D 0_2_0042335D
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_00422967 0_2_00422967
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_0042797F 0_2_0042797F
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_00423303 0_2_00423303
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_00425D08 0_2_00425D08
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_00427512 0_2_00427512
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_0042191B 0_2_0042191B
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_0042611F 0_2_0042611F
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_00425937 0_2_00425937
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_004259D3 0_2_004259D3
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_004221D7 0_2_004221D7
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_004275EB 0_2_004275EB
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_00422B83 0_2_00422B83
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_004213AB 0_2_004213AB
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_004227AF 0_2_004227AF
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_004253AF 0_2_004253AF
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_00422DB3 0_2_00422DB3
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_00421FBB 0_2_00421FBB
PE file contains strange resources
Source: URGENT MEDICAL REQUIREMENT.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: URGENT MEDICAL REQUIREMENT.exe, 00000000.00000002.1258460847.0000000002090000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs URGENT MEDICAL REQUIREMENT.exe
Source: URGENT MEDICAL REQUIREMENT.exe, 00000000.00000002.1257535826.0000000000410000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameHybridizers5.exe vs URGENT MEDICAL REQUIREMENT.exe
Source: URGENT MEDICAL REQUIREMENT.exe Binary or memory string: OriginalFilenameHybridizers5.exe vs URGENT MEDICAL REQUIREMENT.exe
Uses 32bit PE files
Source: URGENT MEDICAL REQUIREMENT.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal84.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe File created: C:\Users\user\AppData\Local\Temp\~DFE70F2CB0D79118EF.TMP Jump to behavior
Source: URGENT MEDICAL REQUIREMENT.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: URGENT MEDICAL REQUIREMENT.exe Virustotal: Detection: 24%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: URGENT MEDICAL REQUIREMENT.exe PID: 6388, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: URGENT MEDICAL REQUIREMENT.exe PID: 6388, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_00405063 pushfd ; iretd 0_2_00405064
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_00406863 pushfd ; iretd 0_2_0040686C
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_00405E7C push esp; iretd 0_2_00405E84
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_004048F3 pushfd ; iretd 0_2_00404998
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_004070B3 pushfd ; iretd 0_2_004070B4
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_00426CBE push eax; ret 0_2_00426CBF
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_00423BD6 push esp; retf 0_2_00423BD7
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_00423BF8 push esp; retf 0_2_00423BFE
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_0042181B 0_2_0042181B
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe RDTSC instruction interceptor: First address: 00000000004265EB second address: 00000000004265EB instructions:
Potential time zone aware malware
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe System information queried: CurrentTimeZoneInformation Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: URGENT MEDICAL REQUIREMENT.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe RDTSC instruction interceptor: First address: 00000000004265EB second address: 00000000004265EB instructions:
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe RDTSC instruction interceptor: First address: 0000000000426348 second address: 0000000000426348 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F9854B64FA8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp ch, dh 0x0000001f add edi, edx 0x00000021 cmp ah, 00000069h 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a cmp bl, bl 0x0000002c cmp dword ptr [ebp+000000F8h], 00000000h 0x00000033 jne 00007F9854B64F85h 0x00000035 call 00007F9854B64FD8h 0x0000003a call 00007F9854B64FB8h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_00421847 rdtsc 0_2_00421847
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: URGENT MEDICAL REQUIREMENT.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_00421847 rdtsc 0_2_00421847
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_00426031 mov eax, dword ptr fs:[00000030h] 0_2_00426031
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_00422437 mov eax, dword ptr fs:[00000030h] 0_2_00422437
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_00425A39 mov eax, dword ptr fs:[00000030h] 0_2_00425A39
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_0042223C mov eax, dword ptr fs:[00000030h] 0_2_0042223C
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_004232E6 mov eax, dword ptr fs:[00000030h] 0_2_004232E6
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_0042249A mov eax, dword ptr fs:[00000030h] 0_2_0042249A
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_00421F4F mov eax, dword ptr fs:[00000030h] 0_2_00421F4F
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_00423303 mov eax, dword ptr fs:[00000030h] 0_2_00423303
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: URGENT MEDICAL REQUIREMENT.exe, 00000000.00000002.1258241168.0000000000C70000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: URGENT MEDICAL REQUIREMENT.exe, 00000000.00000002.1258241168.0000000000C70000.00000002.00000001.sdmp Binary or memory string: Progman
Source: URGENT MEDICAL REQUIREMENT.exe, 00000000.00000002.1258241168.0000000000C70000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: URGENT MEDICAL REQUIREMENT.exe, 00000000.00000002.1258241168.0000000000C70000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: URGENT MEDICAL REQUIREMENT.exe, 00000000.00000002.1258241168.0000000000C70000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\URGENT MEDICAL REQUIREMENT.exe Code function: 0_2_00422E83 cpuid 0_2_00422E83
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 339333 Sample: URGENT MEDICAL REQUIREMENT.exe Startdate: 13/01/2021 Architecture: WINDOWS Score: 84 8 Multi AV Scanner detection for submitted file 2->8 10 Yara detected GuLoader 2->10 12 Contains functionality to detect hardware virtualization (CPUID execution measurement) 2->12 14 5 other signatures 2->14 5 URGENT MEDICAL REQUIREMENT.exe 1 2->5         started        process3 signatures4 16 Potential time zone aware malware 5->16
No contacted IP infos