Analysis Report New Doc 20211401#_our new price.exe

Overview

General Information

Sample Name: New Doc 20211401#_our new price.exe
Analysis ID: 342481
MD5: 14a7ac7e8a7cc68ee2040ea5f3bb145e
SHA1: e7eabd570ec2dce1203d013a11599a8c627b527a
SHA256: cb3e82e9c93c6b7b44dd782d26d22ad26f323176f8662642397d6d271754768d
Tags: exenVpnRATRemcosRAT

Most interesting Screenshot:

Detection

Remcos GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Remcos RAT
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Creates autostart registry keys with suspicious values (likely registry only malware)
Hides threads from debuggers
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe ReversingLabs: Detection: 13%
Multi AV Scanner detection for submitted file
Source: New Doc 20211401#_our new price.exe ReversingLabs: Detection: 13%

Compliance:

barindex
Uses 32bit PE files
Source: New Doc 20211401#_our new price.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
Uses dynamic DNS services
Source: unknown DNS query: name: oluchi.ddns.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49726 -> 91.193.75.243:2405
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
Source: unknown DNS traffic detected: queries for: onedrive.live.com
Source: Indtastningsfacilitet.exe, 0000000E.00000002.344883069.0000000000909000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digi
Source: Indtastningsfacilitet.exe, 0000000E.00000002.344901282.000000000092D000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: Indtastningsfacilitet.exe, 0000000E.00000002.344901282.000000000092D000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: Indtastningsfacilitet.exe, 0000000E.00000002.344901282.000000000092D000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: Indtastningsfacilitet.exe, 0000000E.00000002.344844732.00000000008D5000.00000004.00000020.sdmp String found in binary or memory: https://fkteua.db.files.1drv.com/
Source: Indtastningsfacilitet.exe, 0000000E.00000002.344844732.00000000008D5000.00000004.00000020.sdmp, Indtastningsfacilitet.exe, 0000000E.00000002.344883069.0000000000909000.00000004.00000020.sdmp String found in binary or memory: https://fkteua.db.files.1drv.com/y4m1K5aXO_hTJZwQ6sRUBeX3MwbIRGCEyLmUsy6a-Tv86ILmUxMJD16_BkowRYABW7o
Source: Indtastningsfacilitet.exe, 0000000E.00000002.344883069.0000000000909000.00000004.00000020.sdmp, Indtastningsfacilitet.exe, 0000000E.00000002.344866328.00000000008F0000.00000004.00000020.sdmp String found in binary or memory: https://fkteua.db.files.1drv.com/y4m7jo0uscLY3JGQOA8WNtz0kE6mECzmykD9EyNeCFL_ih_emej5aweglDZjRx1WKGH
Source: Indtastningsfacilitet.exe, 0000000E.00000002.344796615.00000000008A7000.00000004.00000020.sdmp String found in binary or memory: https://onedrive.live.com/
Source: Indtastningsfacilitet.exe, 0000000E.00000002.344844732.00000000008D5000.00000004.00000020.sdmp, Indtastningsfacilitet.exe, 0000000E.00000002.344883069.0000000000909000.00000004.00000020.sdmp, Indtastningsfacilitet.exe, 00000010.00000002.352919337.0000000000560000.00000040.00000001.sdmp String found in binary or memory: https://onedrive.live.com/download?cid=A32AEA2B4355716B&resid=A32AEA2B4355716B%215171&authkey=APwe6-

System Summary:

barindex
Contains functionality to call native functions
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_021508B7 EnumWindows,NtSetInformationThread, 0_2_021508B7
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_02158CE9 NtResumeThread, 0_2_02158CE9
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_0215310A NtWriteVirtualMemory, 0_2_0215310A
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_021587FD NtProtectVirtualMemory, 0_2_021587FD
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_02159012 NtResumeThread, 0_2_02159012
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_02157088 NtSetInformationThread, 0_2_02157088
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_021570B8 NtSetInformationThread, 0_2_021570B8
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_021536AE NtWriteVirtualMemory, 0_2_021536AE
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_021592AE NtResumeThread, 0_2_021592AE
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_021512DE NtSetInformationThread, 0_2_021512DE
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_021534F5 NtWriteVirtualMemory, 0_2_021534F5
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_02158CF3 NtResumeThread, 0_2_02158CF3
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_021508EF NtSetInformationThread, 0_2_021508EF
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_021532EA NtWriteVirtualMemory, 0_2_021532EA
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_0215911A NtResumeThread, 0_2_0215911A
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_02158F0D NtResumeThread, 0_2_02158F0D
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_02153187 NtWriteVirtualMemory, 0_2_02153187
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_02156DB9 NtSetInformationThread, 0_2_02156DB9
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_02158DF2 NtResumeThread, 0_2_02158DF2
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 12_2_021408B7 EnumWindows,NtSetInformationThread, 12_2_021408B7
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 12_2_02148CE9 NtMapViewOfSection, 12_2_02148CE9
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 12_2_0214310A NtWriteVirtualMemory, 12_2_0214310A
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 12_2_021487FD NtProtectVirtualMemory, 12_2_021487FD
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 12_2_02149012 NtMapViewOfSection, 12_2_02149012
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 12_2_02147088 NtSetInformationThread, 12_2_02147088
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 12_2_021470B8 NtSetInformationThread, 12_2_021470B8
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 12_2_021436AE NtWriteVirtualMemory, 12_2_021436AE
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 12_2_021492AE NtMapViewOfSection, 12_2_021492AE
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 12_2_021412DE NtSetInformationThread, 12_2_021412DE
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 12_2_021434F5 NtWriteVirtualMemory, 12_2_021434F5
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 12_2_02148CF3 NtMapViewOfSection, 12_2_02148CF3
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 12_2_021408EF NtSetInformationThread, 12_2_021408EF
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 12_2_021432EA NtWriteVirtualMemory, 12_2_021432EA
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 12_2_0214911A NtMapViewOfSection, 12_2_0214911A
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 12_2_02148F0D NtMapViewOfSection, 12_2_02148F0D
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 12_2_02143187 NtWriteVirtualMemory, 12_2_02143187
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 12_2_02146DB9 NtSetInformationThread, 12_2_02146DB9
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 12_2_02148DF2 NtMapViewOfSection, 12_2_02148DF2
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 14_2_00568CE9 NtQueryInformationProcess, 14_2_00568CE9
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 14_2_005608B7 EnumWindows,NtSetInformationThread, 14_2_005608B7
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 14_2_005687FD NtProtectVirtualMemory, 14_2_005687FD
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 14_2_00569012 NtQueryInformationProcess, 14_2_00569012
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 14_2_005612DE NtSetInformationThread,NtProtectVirtualMemory, 14_2_005612DE
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 14_2_00568CF3 NtQueryInformationProcess, 14_2_00568CF3
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 14_2_005608EF NtSetInformationThread, 14_2_005608EF
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 14_2_00567088 NtSetInformationThread, 14_2_00567088
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 14_2_005670B8 NtSetInformationThread, 14_2_005670B8
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 14_2_005692AE NtQueryInformationProcess, 14_2_005692AE
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 14_2_0056911A NtQueryInformationProcess, 14_2_0056911A
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 14_2_00568F0D NtQueryInformationProcess, 14_2_00568F0D
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 14_2_00568DF2 NtQueryInformationProcess, 14_2_00568DF2
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 14_2_00566DB9 NtSetInformationThread, 14_2_00566DB9
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 15_2_021F08B7 EnumWindows,NtSetInformationThread, 15_2_021F08B7
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 15_2_021F8CE9 NtMapViewOfSection, 15_2_021F8CE9
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 15_2_021F310A NtWriteVirtualMemory, 15_2_021F310A
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 15_2_021F87FD NtProtectVirtualMemory, 15_2_021F87FD
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 15_2_021F9012 NtMapViewOfSection, 15_2_021F9012
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 15_2_021F7088 NtSetInformationThread, 15_2_021F7088
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 15_2_021F70B8 NtSetInformationThread, 15_2_021F70B8
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 15_2_021F36AE NtWriteVirtualMemory, 15_2_021F36AE
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 15_2_021F92AE NtMapViewOfSection, 15_2_021F92AE
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 15_2_021F12DE NtSetInformationThread, 15_2_021F12DE
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 15_2_021F34F5 NtWriteVirtualMemory, 15_2_021F34F5
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 15_2_021F8CF3 NtMapViewOfSection, 15_2_021F8CF3
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 15_2_021F08EF NtSetInformationThread, 15_2_021F08EF
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 15_2_021F32EA NtWriteVirtualMemory, 15_2_021F32EA
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 15_2_021F911A NtMapViewOfSection, 15_2_021F911A
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 15_2_021F8F0D NtMapViewOfSection, 15_2_021F8F0D
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 15_2_021F3187 NtWriteVirtualMemory, 15_2_021F3187
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 15_2_021F6DB9 NtSetInformationThread, 15_2_021F6DB9
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 15_2_021F8DF2 NtMapViewOfSection, 15_2_021F8DF2
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 16_2_00568CE9 NtQueryInformationProcess, 16_2_00568CE9
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 16_2_005608B7 EnumWindows,NtSetInformationThread, 16_2_005608B7
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 16_2_005687FD NtProtectVirtualMemory, 16_2_005687FD
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 16_2_00569012 NtQueryInformationProcess, 16_2_00569012
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 16_2_005612DE NtSetInformationThread,NtProtectVirtualMemory, 16_2_005612DE
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 16_2_00568CF3 NtQueryInformationProcess, 16_2_00568CF3
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 16_2_005608EF NtSetInformationThread, 16_2_005608EF
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 16_2_00567088 NtSetInformationThread, 16_2_00567088
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 16_2_005670B8 NtSetInformationThread, 16_2_005670B8
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 16_2_005692AE NtQueryInformationProcess, 16_2_005692AE
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 16_2_0056911A NtQueryInformationProcess, 16_2_0056911A
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 16_2_00568F0D NtQueryInformationProcess, 16_2_00568F0D
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 16_2_00568DF2 NtQueryInformationProcess, 16_2_00568DF2
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 16_2_00566DB9 NtSetInformationThread, 16_2_00566DB9
Detected potential crypto function
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_004041D8 0_2_004041D8
PE file contains strange resources
Source: New Doc 20211401#_our new price.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Indtastningsfacilitet.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: New Doc 20211401#_our new price.exe, 00000000.00000000.254304802.0000000000415000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameBindsaalerne.exe vs New Doc 20211401#_our new price.exe
Source: New Doc 20211401#_our new price.exe, 00000000.00000002.273121164.0000000002140000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs New Doc 20211401#_our new price.exe
Source: New Doc 20211401#_our new price.exe, 00000002.00000000.271623707.0000000000415000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameBindsaalerne.exe vs New Doc 20211401#_our new price.exe
Source: New Doc 20211401#_our new price.exe Binary or memory string: OriginalFilenameBindsaalerne.exe vs New Doc 20211401#_our new price.exe
Uses 32bit PE files
Source: New Doc 20211401#_our new price.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal100.troj.evad.winEXE@13/3@13/2
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe File created: C:\Users\user\AppData\Roaming\remcos Jump to behavior
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Mutant created: \Sessions\1\BaseNamedObjects\Remcos-MNA1IV
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe File created: C:\Users\user~1\AppData\Local\Temp\~DF089D9D5C2295B640.TMP Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.vbs'
Source: New Doc 20211401#_our new price.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: New Doc 20211401#_our new price.exe ReversingLabs: Detection: 13%
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe File read: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe 'C:\Users\user\Desktop\New Doc 20211401#_our new price.exe'
Source: unknown Process created: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe 'C:\Users\user\Desktop\New Doc 20211401#_our new price.exe'
Source: unknown Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.vbs'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe
Source: unknown Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.vbs'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Process created: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe 'C:\Users\user\Desktop\New Doc 20211401#_our new price.exe' Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Process created: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Process created: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Jump to behavior
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 0000000E.00000002.344016500.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.352919337.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Indtastningsfacilitet.exe PID: 1340, type: MEMORY
Source: Yara match File source: Process Memory Space: Indtastningsfacilitet.exe PID: 3808, type: MEMORY
Source: Yara match File source: Process Memory Space: Indtastningsfacilitet.exe PID: 5412, type: MEMORY
Source: Yara match File source: Process Memory Space: New Doc 20211401#_our new price.exe PID: 6344, type: MEMORY
Source: Yara match File source: Process Memory Space: Indtastningsfacilitet.exe PID: 6564, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: Indtastningsfacilitet.exe PID: 1340, type: MEMORY
Source: Yara match File source: Process Memory Space: Indtastningsfacilitet.exe PID: 3808, type: MEMORY
Source: Yara match File source: Process Memory Space: Indtastningsfacilitet.exe PID: 5412, type: MEMORY
Source: Yara match File source: Process Memory Space: New Doc 20211401#_our new price.exe PID: 6344, type: MEMORY
Source: Yara match File source: Process Memory Space: Indtastningsfacilitet.exe PID: 6564, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_00406A5D push esp; retf 0_2_00406A5E
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_0040701C push edx; retn 0035h 0_2_0040701D
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_00406830 push 0000007Eh; retf 0016h 0_2_00406832
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_004064D8 push 00000014h; retf 0010h 0_2_004064DA
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_004052E0 push 0000007Eh; retf 0_2_004052E2
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_004018AE push ds; ret 0_2_004018B8
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_00406D74 push 0000007Eh; retf 0016h 0_2_00406D76
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_02155AE1 push 01D18579h; retf 0_2_02155BDC
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 12_2_02145AE1 push 01D18579h; retf 12_2_02145BDC
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 14_2_00565AE1 push 01D18579h; retf 14_2_00565BDC
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 15_2_021F5AE1 push 01D18579h; retf 15_2_021F5BDC
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 16_2_00565AE1 push 01D18579h; retf 16_2_00565BDC

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe File created: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Jump to dropped file

Boot Survival:

barindex
Creates autostart registry keys with suspicious values (likely registry only malware)
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Brandsson C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.vbs Jump to behavior
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Brandsson C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.vbs Jump to behavior
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Brandsson Jump to behavior
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Brandsson Jump to behavior
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Brandsson Jump to behavior
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Brandsson Jump to behavior
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Indtastningsfacilitet.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_02157802 rdtsc 0_2_02157802
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Window / User API: threadDelayed 602 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe TID: 5968 Thread sleep count: 602 > 30 Jump to behavior
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe TID: 5968 Thread sleep time: -6020000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Last function: Thread delayed
Source: Indtastningsfacilitet.exe, 0000000E.00000002.344796615.00000000008A7000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAWx
Source: Indtastningsfacilitet.exe, 0000000E.00000002.344866328.00000000008F0000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: Indtastningsfacilitet.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_021508B7 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,?,0215074C 0_2_021508B7
Hides threads from debuggers
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_02157802 rdtsc 0_2_02157802
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_02154D2A LdrInitializeThunk, 0_2_02154D2A
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_02152A8A mov eax, dword ptr fs:[00000030h] 0_2_02152A8A
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_021520DE mov eax, dword ptr fs:[00000030h] 0_2_021520DE
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_02153B0D mov eax, dword ptr fs:[00000030h] 0_2_02153B0D
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_0215812E mov eax, dword ptr fs:[00000030h] 0_2_0215812E
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_02156D40 mov eax, dword ptr fs:[00000030h] 0_2_02156D40
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Code function: 0_2_02157391 mov eax, dword ptr fs:[00000030h] 0_2_02157391
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 12_2_02142A8A mov eax, dword ptr fs:[00000030h] 12_2_02142A8A
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 12_2_021420DE mov eax, dword ptr fs:[00000030h] 12_2_021420DE
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 12_2_02143B0D mov eax, dword ptr fs:[00000030h] 12_2_02143B0D
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 12_2_0214812E mov eax, dword ptr fs:[00000030h] 12_2_0214812E
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 12_2_02146D40 mov eax, dword ptr fs:[00000030h] 12_2_02146D40
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 12_2_02147391 mov eax, dword ptr fs:[00000030h] 12_2_02147391
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 14_2_00562A8A mov eax, dword ptr fs:[00000030h] 14_2_00562A8A
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 14_2_005620DE mov eax, dword ptr fs:[00000030h] 14_2_005620DE
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 14_2_00566D40 mov eax, dword ptr fs:[00000030h] 14_2_00566D40
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 14_2_00563B0D mov eax, dword ptr fs:[00000030h] 14_2_00563B0D
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 14_2_0056812E mov eax, dword ptr fs:[00000030h] 14_2_0056812E
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 14_2_00567391 mov eax, dword ptr fs:[00000030h] 14_2_00567391
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 15_2_021F2A8A mov eax, dword ptr fs:[00000030h] 15_2_021F2A8A
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 15_2_021F20DE mov eax, dword ptr fs:[00000030h] 15_2_021F20DE
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 15_2_021F3B0D mov eax, dword ptr fs:[00000030h] 15_2_021F3B0D
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 15_2_021F812E mov eax, dword ptr fs:[00000030h] 15_2_021F812E
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 15_2_021F6D40 mov eax, dword ptr fs:[00000030h] 15_2_021F6D40
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 15_2_021F7391 mov eax, dword ptr fs:[00000030h] 15_2_021F7391
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 16_2_00562A8A mov eax, dword ptr fs:[00000030h] 16_2_00562A8A
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 16_2_005620DE mov eax, dword ptr fs:[00000030h] 16_2_005620DE
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 16_2_00566D40 mov eax, dword ptr fs:[00000030h] 16_2_00566D40
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 16_2_00563B0D mov eax, dword ptr fs:[00000030h] 16_2_00563B0D
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 16_2_0056812E mov eax, dword ptr fs:[00000030h] 16_2_0056812E
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Code function: 16_2_00567391 mov eax, dword ptr fs:[00000030h] 16_2_00567391

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe Process created: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe 'C:\Users\user\Desktop\New Doc 20211401#_our new price.exe' Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Process created: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Process created: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Jump to behavior
Source: logs.dat.2.dr Binary or memory string: [ Program Manager ]
Source: New Doc 20211401#_our new price.exe, 00000002.00000003.454251663.000000001E842000.00000004.00000001.sdmp Binary or memory string: |Program Manager|
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Remote Access Functionality:

barindex
Detected Remcos RAT
Source: Indtastningsfacilitet.exe, 0000000E.00000002.344844732.00000000008D5000.00000004.00000020.sdmp String found in binary or memory: Remcos_Mutex_InjSI:,
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 342481 Sample: New Doc 20211401#_our new p... Startdate: 21/01/2021 Architecture: WINDOWS Score: 100 36 oluchi.ddns.net 2->36 38 g.msn.com 2->38 64 Multi AV Scanner detection for submitted file 2->64 66 Detected Remcos RAT 2->66 68 Yara detected GuLoader 2->68 70 5 other signatures 2->70 8 New Doc 20211401#_our new price.exe 1 2 2->8         started        11 wscript.exe 2->11         started        13 wscript.exe 2->13         started        signatures3 process4 signatures5 72 Creates autostart registry keys with suspicious values (likely registry only malware) 8->72 74 Tries to detect Any.run 8->74 76 Hides threads from debuggers 8->76 15 New Doc 20211401#_our new price.exe 2 12 8->15         started        20 Indtastningsfacilitet.exe 2 11->20         started        22 Indtastningsfacilitet.exe 2 13->22         started        process6 dnsIp7 52 oluchi.ddns.net 91.193.75.243, 2405, 49726, 49735 DAVID_CRAIGGG Serbia 15->52 54 192.168.2.1 unknown unknown 15->54 56 3 other IPs or domains 15->56 30 C:\Users\user\...\Indtastningsfacilitet.exe, PE32 15->30 dropped 32 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 15->32 dropped 34 C:\Users\user\...\Indtastningsfacilitet.vbs, ASCII 15->34 dropped 58 Multi AV Scanner detection for dropped file 20->58 60 Tries to detect Any.run 20->60 62 Hides threads from debuggers 20->62 24 Indtastningsfacilitet.exe 7 20->24         started        28 Indtastningsfacilitet.exe 7 22->28         started        file8 signatures9 process10 dnsIp11 40 onedrive.live.com 24->40 42 fkteua.db.files.1drv.com 24->42 44 db-files.fe.1drv.com 24->44 78 Tries to detect Any.run 24->78 80 Hides threads from debuggers 24->80 46 onedrive.live.com 28->46 48 fkteua.db.files.1drv.com 28->48 50 db-files.fe.1drv.com 28->50 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
91.193.75.243
 unknown Serbia
209623 DAVID_CRAIGGG true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
oluchi.ddns.net 91.193.75.243 true
g.msn.com unknown unknown
onedrive.live.com unknown unknown
fkteua.db.files.1drv.com unknown unknown