Analysis Report NEWORDERrefno0992883jpg.exe

Overview

General Information

Sample Name: NEWORDERrefno0992883jpg.exe
Analysis ID: 342213
MD5: 55124bc60c871581f110b6f09e8ee902
SHA1: a198c5115c4d7f9e61a06020c814c2b5b4fba0f8
SHA256: 8c6cae9078b175b331c1d6154045deea386850a75e4e2a250fe4f4d920cf1a4a
Tags: exenVpnRATRemcosRAT

Most interesting Screenshot:

Detection

Remcos GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Remcos RAT
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: NEWORDERrefno0992883jpg.exe Virustotal: Detection: 23% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: NEWORDERrefno0992883jpg.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49731 -> 185.140.53.253:2048
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.140.53.253 185.140.53.253
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 6_2_00568FBC InternetReadFile, 6_2_00568FBC
Source: unknown DNS traffic detected: queries for: onedrive.live.com
Source: PILGRIMIZES.exe, 00000006.00000002.415798264.0000000000A00000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digi
Source: PILGRIMIZES.exe, 00000006.00000002.415833995.0000000000A3B000.00000004.00000020.sdmp, PILGRIMIZES.exe, 00000006.00000002.415798264.0000000000A00000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: PILGRIMIZES.exe, 00000006.00000002.415833995.0000000000A3B000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: PILGRIMIZES.exe, 00000006.00000002.415833995.0000000000A3B000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: PILGRIMIZES.exe, 00000006.00000002.415757520.00000000009B8000.00000004.00000020.sdmp String found in binary or memory: https://onedrive.live.com/
Source: PILGRIMIZES.exe String found in binary or memory: https://onedrive.live.com/download?cid=3EA7AF3CF2A8B6E2&resid=3EA7AF3CF2A8B6E2%21121&authkey=AMq9sG-
Source: PILGRIMIZES.exe, 00000006.00000002.415757520.00000000009B8000.00000004.00000020.sdmp String found in binary or memory: https://ry3dmw.dm.files.1drv.com/
Source: PILGRIMIZES.exe, 00000006.00000002.415798264.0000000000A00000.00000004.00000020.sdmp String found in binary or memory: https://ry3dmw.dm.files.1drv.com/y4m5Uk8XK7Wl1Kz2W_ObQ202aCzFbJtOLqXH5zzyoS4s7PNVv2jQFwK-Dxrh70VAS6o
Source: PILGRIMIZES.exe, 00000006.00000002.415757520.00000000009B8000.00000004.00000020.sdmp, PILGRIMIZES.exe, 00000006.00000002.415814005.0000000000A1C000.00000004.00000020.sdmp String found in binary or memory: https://ry3dmw.dm.files.1drv.com/y4mCJVSTmiHuzMhULmUNmg4EimfSRflb83yNVhTry70q37pI5b1gbJ6e_SyvPbvtOFB

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: NEWORDERrefno0992883jpg.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 0_2_021F32BD NtWriteVirtualMemory, 0_2_021F32BD
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 0_2_021F08E0 NtSetInformationThread, 0_2_021F08E0
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 0_2_021F8BF1 NtProtectVirtualMemory, 0_2_021F8BF1
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 0_2_021F3807 NtWriteVirtualMemory, 0_2_021F3807
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 0_2_021F3447 NtWriteVirtualMemory, 0_2_021F3447
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 0_2_021F3645 NtWriteVirtualMemory, 0_2_021F3645
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 0_2_021F2EB1 NtSetInformationThread, 0_2_021F2EB1
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 0_2_021F0949 NtSetInformationThread,LoadLibraryA, 0_2_021F0949
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 0_2_021F3568 NtWriteVirtualMemory, 0_2_021F3568
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 0_2_021F4791 NtSetInformationThread,LoadLibraryA, 0_2_021F4791
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 0_2_021F8BBB NtProtectVirtualMemory, 0_2_021F8BBB
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 0_2_021F09D6 NtSetInformationThread, 0_2_021F09D6
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 0_2_021F21CE NtSetInformationThread, 0_2_021F21CE
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 1_2_00568BF1 NtProtectVirtualMemory, 1_2_00568BF1
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 1_2_00568BBB NtProtectVirtualMemory, 1_2_00568BBB
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 3_2_023132BD NtWriteVirtualMemory, 3_2_023132BD
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 3_2_023108E0 NtSetInformationThread, 3_2_023108E0
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 3_2_02318BF1 NtProtectVirtualMemory, 3_2_02318BF1
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 3_2_02313807 NtWriteVirtualMemory, 3_2_02313807
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 3_2_02313645 NtWriteVirtualMemory, 3_2_02313645
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 3_2_02313447 NtWriteVirtualMemory, 3_2_02313447
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 3_2_02312EB1 NtSetInformationThread, 3_2_02312EB1
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 3_2_02313568 NtWriteVirtualMemory, 3_2_02313568
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 3_2_02310949 NtSetInformationThread,LoadLibraryA, 3_2_02310949
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 3_2_02318BBB NtProtectVirtualMemory, 3_2_02318BBB
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 3_2_02314791 NtSetInformationThread,LoadLibraryA, 3_2_02314791
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 3_2_023109D6 NtSetInformationThread, 3_2_023109D6
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 3_2_023121CE NtSetInformationThread, 3_2_023121CE
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 6_2_005608E0 NtSetInformationThread, 6_2_005608E0
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 6_2_00564779 NtSetInformationThread,InternetOpenA,InternetOpenUrlA,LoadLibraryA, 6_2_00564779
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 6_2_00568BF1 NtProtectVirtualMemory, 6_2_00568BF1
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 6_2_00562EB1 NtSetInformationThread, 6_2_00562EB1
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 6_2_00560949 NtSetInformationThread,LoadLibraryA, 6_2_00560949
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 6_2_005609D6 NtSetInformationThread, 6_2_005609D6
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 6_2_005621CE NtSetInformationThread, 6_2_005621CE
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 6_2_00568BBB NtProtectVirtualMemory, 6_2_00568BBB
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 8_2_021D32BD NtWriteVirtualMemory, 8_2_021D32BD
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 8_2_021D08E0 NtSetInformationThread, 8_2_021D08E0
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 8_2_021D8FBC NtResumeThread, 8_2_021D8FBC
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 8_2_021D8BF1 NtProtectVirtualMemory, 8_2_021D8BF1
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 8_2_021D3807 NtWriteVirtualMemory, 8_2_021D3807
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 8_2_021D3645 NtWriteVirtualMemory, 8_2_021D3645
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 8_2_021D3447 NtWriteVirtualMemory, 8_2_021D3447
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 8_2_021D906E NtResumeThread, 8_2_021D906E
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 8_2_021D2EB1 NtSetInformationThread, 8_2_021D2EB1
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 8_2_021D0949 NtSetInformationThread,LoadLibraryA, 8_2_021D0949
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 8_2_021D9779 NtResumeThread, 8_2_021D9779
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 8_2_021D3568 NtWriteVirtualMemory, 8_2_021D3568
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 8_2_021D939B NtResumeThread, 8_2_021D939B
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 8_2_021D4791 NtSetInformationThread,LoadLibraryA, 8_2_021D4791
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 8_2_021D8BBB NtProtectVirtualMemory, 8_2_021D8BBB
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 8_2_021D95B3 NtResumeThread, 8_2_021D95B3
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 8_2_021D09D6 NtSetInformationThread, 8_2_021D09D6
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 8_2_021D21CE NtSetInformationThread, 8_2_021D21CE
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 11_2_005608E0 NtSetInformationThread, 11_2_005608E0
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 11_2_00564779 NtSetInformationThread,InternetOpenA,InternetOpenUrlA,LoadLibraryA, 11_2_00564779
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 11_2_00568BF1 NtProtectVirtualMemory, 11_2_00568BF1
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 11_2_00568FBC NtQueryInformationProcess, 11_2_00568FBC
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 11_2_0056906E NtQueryInformationProcess, 11_2_0056906E
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 11_2_00562EB1 NtSetInformationThread, 11_2_00562EB1
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 11_2_00560949 NtSetInformationThread,LoadLibraryA, 11_2_00560949
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 11_2_00569779 NtQueryInformationProcess, 11_2_00569779
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 11_2_005609D6 NtSetInformationThread, 11_2_005609D6
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 11_2_005621CE NtSetInformationThread, 11_2_005621CE
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 11_2_0056939B NtQueryInformationProcess, 11_2_0056939B
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 11_2_005695B3 NtQueryInformationProcess, 11_2_005695B3
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 11_2_00568BBB NtProtectVirtualMemory, 11_2_00568BBB
Detected potential crypto function
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 0_2_0040418E 0_2_0040418E
PE file contains strange resources
Source: NEWORDERrefno0992883jpg.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PILGRIMIZES.exe.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: NEWORDERrefno0992883jpg.exe, 00000000.00000002.351770668.00000000021E0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs NEWORDERrefno0992883jpg.exe
Source: NEWORDERrefno0992883jpg.exe, 00000000.00000002.351564161.0000000000415000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSELVMODSIGELSE.exe vs NEWORDERrefno0992883jpg.exe
Source: NEWORDERrefno0992883jpg.exe, 00000001.00000000.349891066.0000000000415000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSELVMODSIGELSE.exe vs NEWORDERrefno0992883jpg.exe
Source: NEWORDERrefno0992883jpg.exe, 00000001.00000002.697482243.0000000002460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs NEWORDERrefno0992883jpg.exe
Source: NEWORDERrefno0992883jpg.exe, 00000001.00000002.701392626.000000001DED0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs NEWORDERrefno0992883jpg.exe
Source: NEWORDERrefno0992883jpg.exe Binary or memory string: OriginalFilenameSELVMODSIGELSE.exe vs NEWORDERrefno0992883jpg.exe
Uses 32bit PE files
Source: NEWORDERrefno0992883jpg.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 00000007.00000003.399918336.000002634EBD5000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_LNK_SuspiciousCommands date = 2018-09-18, author = Florian Roth, description = Detects LNK file with suspicious content, score =
Source: classification engine Classification label: mal100.troj.evad.winEXE@13/3@7/1
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe File created: C:\Users\user\AppData\Roaming\remcos Jump to behavior
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Mutant created: \Sessions\1\BaseNamedObjects\idll-LLXXO1
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe File created: C:\Users\user\AppData\Local\Temp\~DF212361AE709111D3.TMP Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.vbs'
Source: NEWORDERrefno0992883jpg.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: NEWORDERrefno0992883jpg.exe Virustotal: Detection: 23%
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe File read: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe 'C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe'
Source: unknown Process created: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe 'C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe'
Source: unknown Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.vbs'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe
Source: unknown Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.vbs'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Process created: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe 'C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe' Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Process created: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Process created: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Jump to behavior
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000006.00000002.415603840.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.438708197.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.696666279.0000000000562000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: NEWORDERrefno0992883jpg.exe PID: 4712, type: MEMORY
Source: Yara match File source: Process Memory Space: NEWORDERrefno0992883jpg.exe PID: 1908, type: MEMORY
Source: Yara match File source: Process Memory Space: PILGRIMIZES.exe PID: 7140, type: MEMORY
Source: Yara match File source: Process Memory Space: PILGRIMIZES.exe PID: 6668, type: MEMORY
Source: Yara match File source: Process Memory Space: PILGRIMIZES.exe PID: 6776, type: MEMORY
Source: Yara match File source: Process Memory Space: PILGRIMIZES.exe PID: 5668, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: NEWORDERrefno0992883jpg.exe PID: 4712, type: MEMORY
Source: Yara match File source: Process Memory Space: NEWORDERrefno0992883jpg.exe PID: 1908, type: MEMORY
Source: Yara match File source: Process Memory Space: PILGRIMIZES.exe PID: 7140, type: MEMORY
Source: Yara match File source: Process Memory Space: PILGRIMIZES.exe PID: 6668, type: MEMORY
Source: Yara match File source: Process Memory Space: PILGRIMIZES.exe PID: 6776, type: MEMORY
Source: Yara match File source: Process Memory Space: PILGRIMIZES.exe PID: 5668, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 0_2_00405466 pushfd ; iretd 0_2_00405467
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 0_2_00406293 push edx; ret 0_2_004062A0
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 1_2_00565BCF push FFFFFFF4h; retf 1_2_00565BD1
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 6_2_00565BCF push FFFFFFF4h; retf 6_2_00565BD1
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 11_2_00565BCF push FFFFFFF4h; retf 11_2_00565BD1

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe File created: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Jump to dropped file

Boot Survival:

barindex
Creates autostart registry keys with suspicious values (likely registry only malware)
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce unturbid C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.vbs Jump to behavior
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce unturbid C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.vbs Jump to behavior
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce unturbid Jump to behavior
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce unturbid Jump to behavior
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce unturbid Jump to behavior
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce unturbid Jump to behavior
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe RDTSC instruction interceptor: First address: 0000000000561383 second address: 0000000000561383 instructions:
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe RDTSC instruction interceptor: First address: 00000000005617F6 second address: 00000000005617F6 instructions:
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe RDTSC instruction interceptor: First address: 0000000000561383 second address: 0000000000561383 instructions:
Tries to detect Any.run
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: PILGRIMIZES.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe RDTSC instruction interceptor: First address: 0000000000561383 second address: 0000000000561383 instructions:
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe RDTSC instruction interceptor: First address: 00000000005617F6 second address: 00000000005617F6 instructions:
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe RDTSC instruction interceptor: First address: 0000000000561383 second address: 0000000000561383 instructions:
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 0_2_021F1658 rdtsc 0_2_021F1658
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Window / User API: threadDelayed 824 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe TID: 5772 Thread sleep count: 824 > 30 Jump to behavior
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe TID: 5772 Thread sleep time: -8240000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Last function: Thread delayed
Source: PILGRIMIZES.exe, 00000006.00000002.415757520.00000000009B8000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: PILGRIMIZES.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 0_2_021F08E0 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,021F7E3E,F21FD920 0_2_021F08E0
Hides threads from debuggers
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 0_2_021F1658 rdtsc 0_2_021F1658
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 1_2_005651B6 LdrInitializeThunk, 1_2_005651B6
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 0_2_021F2A2B mov eax, dword ptr fs:[00000030h] 0_2_021F2A2B
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 0_2_021F3CD0 mov eax, dword ptr fs:[00000030h] 0_2_021F3CD0
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 0_2_021F70EA mov eax, dword ptr fs:[00000030h] 0_2_021F70EA
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 0_2_021F8511 mov eax, dword ptr fs:[00000030h] 0_2_021F8511
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 0_2_021F2B5F mov eax, dword ptr fs:[00000030h] 0_2_021F2B5F
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 0_2_021F7780 mov eax, dword ptr fs:[00000030h] 0_2_021F7780
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 0_2_021F21CE mov eax, dword ptr fs:[00000030h] 0_2_021F21CE
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 0_2_021F2BC9 mov eax, dword ptr fs:[00000030h] 0_2_021F2BC9
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 1_2_0056776E mov eax, dword ptr fs:[00000030h] 1_2_0056776E
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 1_2_00568511 mov eax, dword ptr fs:[00000030h] 1_2_00568511
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 1_2_00563CD0 mov eax, dword ptr fs:[00000030h] 1_2_00563CD0
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 1_2_005670EA mov eax, dword ptr fs:[00000030h] 1_2_005670EA
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 3_2_02312A2B mov eax, dword ptr fs:[00000030h] 3_2_02312A2B
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 3_2_023170EA mov eax, dword ptr fs:[00000030h] 3_2_023170EA
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 3_2_02313CD0 mov eax, dword ptr fs:[00000030h] 3_2_02313CD0
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 3_2_02318511 mov eax, dword ptr fs:[00000030h] 3_2_02318511
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 3_2_02312B5F mov eax, dword ptr fs:[00000030h] 3_2_02312B5F
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 3_2_02317780 mov eax, dword ptr fs:[00000030h] 3_2_02317780
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 3_2_02312BC9 mov eax, dword ptr fs:[00000030h] 3_2_02312BC9
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 3_2_023121CE mov eax, dword ptr fs:[00000030h] 3_2_023121CE
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 6_2_00562BC9 mov eax, dword ptr fs:[00000030h] 6_2_00562BC9
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 6_2_00562A2B mov eax, dword ptr fs:[00000030h] 6_2_00562A2B
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 6_2_00563CD0 mov eax, dword ptr fs:[00000030h] 6_2_00563CD0
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 6_2_005670EA mov eax, dword ptr fs:[00000030h] 6_2_005670EA
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 6_2_00562B5F mov eax, dword ptr fs:[00000030h] 6_2_00562B5F
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 6_2_00568511 mov eax, dword ptr fs:[00000030h] 6_2_00568511
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 6_2_005621CE mov eax, dword ptr fs:[00000030h] 6_2_005621CE
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 6_2_00567780 mov eax, dword ptr fs:[00000030h] 6_2_00567780
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 8_2_021D2A2B mov eax, dword ptr fs:[00000030h] 8_2_021D2A2B
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 8_2_021D3CD0 mov eax, dword ptr fs:[00000030h] 8_2_021D3CD0
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 8_2_021D70EA mov eax, dword ptr fs:[00000030h] 8_2_021D70EA
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 8_2_021D8511 mov eax, dword ptr fs:[00000030h] 8_2_021D8511
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 8_2_021D2B5F mov eax, dword ptr fs:[00000030h] 8_2_021D2B5F
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 8_2_021D7780 mov eax, dword ptr fs:[00000030h] 8_2_021D7780
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 8_2_021D21CE mov eax, dword ptr fs:[00000030h] 8_2_021D21CE
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 8_2_021D2BC9 mov eax, dword ptr fs:[00000030h] 8_2_021D2BC9
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 11_2_00562BC9 mov eax, dword ptr fs:[00000030h] 11_2_00562BC9
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 11_2_00562A2B mov eax, dword ptr fs:[00000030h] 11_2_00562A2B
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 11_2_00563CD0 mov eax, dword ptr fs:[00000030h] 11_2_00563CD0
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 11_2_005670EA mov eax, dword ptr fs:[00000030h] 11_2_005670EA
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 11_2_00562B5F mov eax, dword ptr fs:[00000030h] 11_2_00562B5F
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 11_2_00568511 mov eax, dword ptr fs:[00000030h] 11_2_00568511
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 11_2_005621CE mov eax, dword ptr fs:[00000030h] 11_2_005621CE
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Code function: 11_2_00567780 mov eax, dword ptr fs:[00000030h] 11_2_00567780

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Process created: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe 'C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe' Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Process created: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Process created: C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe C:\Users\user\AppData\Local\Temp\BILTMORE\PILGRIMIZES.exe Jump to behavior
Source: NEWORDERrefno0992883jpg.exe, 00000001.00000002.697529935.0000000002477000.00000004.00000040.sdmp Binary or memory string: Program Manager
Source: NEWORDERrefno0992883jpg.exe, 00000001.00000002.697252918.0000000000EB0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: NEWORDERrefno0992883jpg.exe, 00000001.00000002.697252918.0000000000EB0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: NEWORDERrefno0992883jpg.exe, 00000001.00000002.697529935.0000000002477000.00000004.00000040.sdmp Binary or memory string: Program Manageranager
Source: logs.dat.1.dr Binary or memory string: [ Program Manager ]
Source: NEWORDERrefno0992883jpg.exe, 00000001.00000002.697529935.0000000002477000.00000004.00000040.sdmp Binary or memory string: Program Manager0|
Source: NEWORDERrefno0992883jpg.exe, 00000001.00000002.697529935.0000000002477000.00000004.00000040.sdmp Binary or memory string: Program Managerrs\eng
Source: NEWORDERrefno0992883jpg.exe, 00000001.00000002.697252918.0000000000EB0000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: NEWORDERrefno0992883jpg.exe, 00000001.00000002.697252918.0000000000EB0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: NEWORDERrefno0992883jpg.exe, 00000001.00000002.697196553.0000000000920000.00000004.00000001.sdmp Binary or memory string: |Program Manager|

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\NEWORDERrefno0992883jpg.exe Code function: 0_2_021F5E52 cpuid 0_2_021F5E52
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Remote Access Functionality:

barindex
Detected Remcos RAT
Source: PILGRIMIZES.exe, 00000006.00000002.415814005.0000000000A1C000.00000004.00000020.sdmp String found in binary or memory: Remcos_Mutex_InjP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 342213 Sample: NEWORDERrefno0992883jpg.exe Startdate: 20/01/2021 Architecture: WINDOWS Score: 100 61 Multi AV Scanner detection for submitted file 2->61 63 Detected Remcos RAT 2->63 65 Yara detected GuLoader 2->65 67 4 other signatures 2->67 7 NEWORDERrefno0992883jpg.exe 1 2 2->7         started        10 wscript.exe 2->10         started        12 wscript.exe 2->12         started        process3 signatures4 69 Creates autostart registry keys with suspicious values (likely registry only malware) 7->69 71 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 7->71 73 Tries to detect Any.run 7->73 75 3 other signatures 7->75 14 NEWORDERrefno0992883jpg.exe 2 12 7->14         started        19 PILGRIMIZES.exe 2 10->19         started        21 PILGRIMIZES.exe 2 12->21         started        process5 dnsIp6 47 inforosi3m.hopto.org 185.140.53.253, 2048, 49731 DAVID_CRAIGGG Sweden 14->47 49 ry3dmw.dm.files.1drv.com 14->49 51 2 other IPs or domains 14->51 29 C:\Users\user\AppData\...\PILGRIMIZES.exe, PE32 14->29 dropped 31 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 14->31 dropped 33 C:\Users\user\AppData\...\PILGRIMIZES.vbs, ASCII 14->33 dropped 53 Hides threads from debuggers 14->53 55 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 19->55 57 Tries to detect Any.run 19->57 59 Tries to detect virtualization through RDTSC time measurements 19->59 23 PILGRIMIZES.exe 7 19->23         started        27 PILGRIMIZES.exe 7 21->27         started        file7 signatures8 process9 dnsIp10 35 ry3dmw.dm.files.1drv.com 23->35 37 onedrive.live.com 23->37 39 dm-files.fe.1drv.com 23->39 77 Tries to detect Any.run 23->77 79 Hides threads from debuggers 23->79 41 ry3dmw.dm.files.1drv.com 27->41 43 onedrive.live.com 27->43 45 dm-files.fe.1drv.com 27->45 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.140.53.253
 unknown Sweden
209623 DAVID_CRAIGGG false

Contacted Domains

Name IP Active
inforosi3m.hopto.org 185.140.53.253 true
onedrive.live.com unknown unknown
ry3dmw.dm.files.1drv.com unknown unknown