Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
ReversingLabs: Detection: 20% |
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Process Stats: CPU usage > 98% |
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe, 00000000.00000002.1437688379.00000000021D0000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe, 00000000.00000000.340886631.0000000000414000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameGISELLE.exe vs RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Binary or memory string: OriginalFilenameGISELLE.exe vs RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal76.troj.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
File created: C:\Users\user\AppData\Local\Temp\~DFA8C396C0239A952E.TMP |
Jump to behavior |
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
ReversingLabs: Detection: 20% |
Source: Yara match |
File source: Process Memory Space: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe PID: 6180, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe PID: 6180, type: MEMORY |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_004075B4 push edi; iretd |
0_2_004075B6 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_00405F85 push edx; iretd |
0_2_00405F86 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_0220323B |
0_2_0220323B |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_02202E11 |
0_2_02202E11 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_02202E71 |
0_2_02202E71 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_022026E2 |
0_2_022026E2 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_02202EF4 |
0_2_02202EF4 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_02202EC5 |
0_2_02202EC5 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_02202F69 |
0_2_02202F69 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_02202FD4 |
0_2_02202FD4 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_02203057 |
0_2_02203057 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_022038B2 |
0_2_022038B2 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_022030DB |
0_2_022030DB |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_0220292A |
0_2_0220292A |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_02203135 |
0_2_02203135 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_02202D19 |
0_2_02202D19 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_022031AB |
0_2_022031AB |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_02202DAD |
0_2_02202DAD |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_022071E6 |
0_2_022071E6 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_02207DE9 |
0_2_02207DE9 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_022065C3 |
0_2_022065C3 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_02201DDB |
0_2_02201DDB |
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
RDTSC instruction interceptor: First address: 0000000002206A28 second address: 0000000002206A28 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F9D08895FF8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test edx, F234E3D4h 0x00000023 add edi, edx 0x00000025 dec dword ptr [ebp+000000F8h] 0x0000002b cmp dword ptr [ebp+000000F8h], 00000000h 0x00000032 jne 00007F9D08895F76h 0x00000034 jmp 00007F9D08895FEEh 0x00000036 test dh, dh 0x00000038 call 00007F9D08896019h 0x0000003d call 00007F9D08896008h 0x00000042 lfence 0x00000045 mov edx, dword ptr [7FFE0014h] 0x0000004b lfence 0x0000004e ret 0x0000004f mov esi, edx 0x00000051 pushad 0x00000052 rdtsc |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_02206A20 rdtsc |
0_2_02206A20 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_02206A20 rdtsc |
0_2_02206A20 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_02203669 mov eax, dword ptr fs:[00000030h] |
0_2_02203669 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_02207258 mov eax, dword ptr fs:[00000030h] |
0_2_02207258 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_022026E2 mov eax, dword ptr fs:[00000030h] |
0_2_022026E2 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_022026F4 mov eax, dword ptr fs:[00000030h] |
0_2_022026F4 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_02205C60 mov eax, dword ptr fs:[00000030h] |
0_2_02205C60 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_0220244B mov eax, dword ptr fs:[00000030h] |
0_2_0220244B |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_02202457 mov eax, dword ptr fs:[00000030h] |
0_2_02202457 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_022071E6 mov eax, dword ptr fs:[00000030h] |
0_2_022071E6 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_022071E8 mov eax, dword ptr fs:[00000030h] |
0_2_022071E8 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_022065C3 mov eax, dword ptr fs:[00000030h] |
0_2_022065C3 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_02201DDB mov eax, dword ptr fs:[00000030h] |
0_2_02201DDB |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe, 00000000.00000002.1437488688.0000000000DB0000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe, 00000000.00000002.1437488688.0000000000DB0000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe, 00000000.00000002.1437488688.0000000000DB0000.00000002.00000001.sdmp |
Binary or memory string: &Program Manager |
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe, 00000000.00000002.1437488688.0000000000DB0000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe |
Code function: 0_2_02206376 cpuid |
0_2_02206376 |