Analysis Report RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

ID:	339372
Product:	CloudBasic
Start time:	21:50:26
Start date:	13.01.2021
Sample:	RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	754d599f8cdeb37d1f3f61764669d799
SHA1:	5e48dfb313f300b4d460e73bd25b324b88da0df7
SHA256:	7c328b51dbd9e7fb96ca2ed21358fd5112c809f9666f9287b55927302c7ac1ea
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Name	Type	MD5	SHA1	SHA256

AV Detection:

Multi AV Scanner detection for submitted file

Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

ReversingLabs: Detection: 20%

Compliance:

Uses 32bit PE files

Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

Process Stats: CPU usage > 98%

PE file contains strange resources

Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe, 00000000.00000002.1437688379.00000000021D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe, 00000000.00000000.340886631.0000000000414000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameGISELLE.exe vs RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Binary or memory string: OriginalFilenameGISELLE.exe vs RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

Uses 32bit PE files

Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Classification label

Source: classification engine

Classification label: mal76.troj.evad.winEXE@1/0@0/0

Creates temporary files

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

File created: C:\Users\user\AppData\Local\Temp\~DFA8C396C0239A952E.TMP

Jump to behavior

PE file has an executable .text section and no other executable section

Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

ReversingLabs: Detection: 20%

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: Process Memory Space: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe PID: 6180, type: MEMORY

Yara detected VB6 Downloader Generic

Source: Yara match

File source: Process Memory Space: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe PID: 6180, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_004075B4 push edi; iretd		0_2_004075B6
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_00405F85 push edx; iretd		0_2_00405F86

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_0220323B		0_2_0220323B
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_02202E11		0_2_02202E11
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_02202E71		0_2_02202E71
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_022026E2		0_2_022026E2
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_02202EF4		0_2_02202EF4
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_02202EC5		0_2_02202EC5
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_02202F69		0_2_02202F69
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_02202FD4		0_2_02202FD4
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_02203057		0_2_02203057
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_022038B2		0_2_022038B2
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_022030DB		0_2_022030DB
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_0220292A		0_2_0220292A
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_02203135		0_2_02203135
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_02202D19		0_2_02202D19
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_022031AB		0_2_022031AB
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_02202DAD		0_2_02202DAD
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_022071E6		0_2_022071E6
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_02207DE9		0_2_02207DE9
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_022065C3		0_2_022065C3
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_02201DDB		0_2_02201DDB

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

RDTSC instruction interceptor: First address: 0000000002206A28 second address: 0000000002206A28 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F9D08895FF8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test edx, F234E3D4h 0x00000023 add edi, edx 0x00000025 dec dword ptr [ebp+000000F8h] 0x0000002b cmp dword ptr [ebp+000000F8h], 00000000h 0x00000032 jne 00007F9D08895F76h 0x00000034 jmp 00007F9D08895FEEh 0x00000036 test dh, dh 0x00000038 call 00007F9D08896019h 0x0000003d call 00007F9D08896008h 0x00000042 lfence 0x00000045 mov edx, dword ptr [7FFE0014h] 0x0000004b lfence 0x0000004e ret 0x0000004f mov esi, edx 0x00000051 pushad 0x00000052 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

Code function: 0_2_02206A20 rdtsc

0_2_02206A20

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

Code function: 0_2_02206A20 rdtsc

0_2_02206A20

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_02203669 mov eax, dword ptr fs:[00000030h]		0_2_02203669
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_02207258 mov eax, dword ptr fs:[00000030h]		0_2_02207258
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_022026E2 mov eax, dword ptr fs:[00000030h]		0_2_022026E2
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_022026F4 mov eax, dword ptr fs:[00000030h]		0_2_022026F4
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_02205C60 mov eax, dword ptr fs:[00000030h]		0_2_02205C60
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_0220244B mov eax, dword ptr fs:[00000030h]		0_2_0220244B
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_02202457 mov eax, dword ptr fs:[00000030h]		0_2_02202457
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_022071E6 mov eax, dword ptr fs:[00000030h]		0_2_022071E6
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_022071E8 mov eax, dword ptr fs:[00000030h]		0_2_022071E8
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_022065C3 mov eax, dword ptr fs:[00000030h]		0_2_022065C3
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_02201DDB mov eax, dword ptr fs:[00000030h]		0_2_02201DDB

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe, 00000000.00000002.1437488688.0000000000DB0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe, 00000000.00000002.1437488688.0000000000DB0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe, 00000000.00000002.1437488688.0000000000DB0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe, 00000000.00000002.1437488688.0000000000DB0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

Code function: 0_2_02206376 cpuid

0_2_02206376