Analysis Report SecuriteInfo.com.Generic.mg.354e60543438661b.7014

ID:	343148
Product:	CloudBasic
Start time:	12:07:38
Start date:	22.01.2021
Sample:	SecuriteInfo.com.Generic.mg.354e60543438661b.7014
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	354e60543438661b75246f39f6cde70d
SHA1:	f698e89c2f16c02de7183a2c47ac31fda700ce3c
SHA256:	e5aac8a58f55ef2a6ac7aa5997a05a240fd09d8e856f95209b7e499beb4c4d57
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Name	Type	MD5	SHA1	SHA256

AV Detection:

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe

Virustotal: Detection: 17%

Perma Link

Compliance:

Uses 32bit PE files

Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe

Process Stats: CPU usage > 98%

PE file contains strange resources

Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe, 00000000.00000002.1514114800.0000000000411000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAltrets8.exe vs SecuriteInfo.com.Generic.mg.354e60543438661b.exe
Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe, 00000000.00000002.1514536414.00000000020A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Generic.mg.354e60543438661b.exe
Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Binary or memory string: OriginalFilenameAltrets8.exe vs SecuriteInfo.com.Generic.mg.354e60543438661b.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Classification label

Source: classification engine

Classification label: mal76.troj.evad.winEXE@1/0@0/0

Creates temporary files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe

File created: C:\Users\user\AppData\Local\Temp\~DF787D259C8D513009.TMP

Jump to behavior

PE file has an executable .text section and no other executable section

Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe

Virustotal: Detection: 17%

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Generic.mg.354e60543438661b.exe PID: 1340, type: MEMORY

Yara detected VB6 Downloader Generic

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Generic.mg.354e60543438661b.exe PID: 1340, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_0040742D pushfd ; ret		0_2_00407440
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_0040368F push cs; retf		0_2_00403690
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B120A2 push ss; retf		0_2_02B120AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B1207B push ss; retf		0_2_02B12085
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B11EDC push ss; retf		0_2_02B11EE6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B11F03 push ss; retf		0_2_02B11F0D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B14D8C push esi; iretd		0_2_02B14D8D

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B11A68		0_2_02B11A68
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B11A6D		0_2_02B11A6D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B11B15		0_2_02B11B15
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B11B64		0_2_02B11B64
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B12820		0_2_02B12820
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B1286A		0_2_02B1286A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B159C5		0_2_02B159C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B126AE		0_2_02B126AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B1264C		0_2_02B1264C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B11F55		0_2_02B11F55
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B125C2		0_2_02B125C2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B125C4		0_2_02B125C4

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	RDTSC instruction interceptor: First address: 0000000002B10593 second address: 0000000002B10593 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	RDTSC instruction interceptor: First address: 0000000002B1691D second address: 0000000002B1691D instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	RDTSC instruction interceptor: First address: 0000000002B169E0 second address: 0000000002B169E0 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	RDTSC instruction interceptor: First address: 0000000002B16A8F second address: 0000000002B16A8F instructions:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe, 00000000.00000002.1515270635.0000000002B10000.00000040.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE9
Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	RDTSC instruction interceptor: First address: 0000000002B10593 second address: 0000000002B10593 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	RDTSC instruction interceptor: First address: 0000000002B1691D second address: 0000000002B1691D instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	RDTSC instruction interceptor: First address: 0000000002B169E0 second address: 0000000002B169E0 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	RDTSC instruction interceptor: First address: 0000000002B16A8F second address: 0000000002B16A8F instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	RDTSC instruction interceptor: First address: 0000000002B165F8 second address: 0000000002B165F8 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F9F88BAB418h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F9F88BAB406h 0x0000001f test ebx, 410FB02Fh 0x00000025 add edi, edx 0x00000027 test ax, cx 0x0000002a dec dword ptr [ebp+000000F8h] 0x00000030 cmp al, cl 0x00000032 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000039 jne 00007F9F88BAB359h 0x0000003b cmp bl, cl 0x0000003d call 00007F9F88BAB43Ch 0x00000042 call 00007F9F88BAB428h 0x00000047 lfence 0x0000004a mov edx, dword ptr [7FFE0014h] 0x00000050 lfence 0x00000053 ret 0x00000054 mov esi, edx 0x00000056 pushad 0x00000057 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe

Code function: 0_2_02B172A2 rdtsc

0_2_02B172A2

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe, 00000000.00000002.1515270635.0000000002B10000.00000040.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe9
Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe

Code function: 0_2_02B172A2 rdtsc

0_2_02B172A2

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B162F3 mov eax, dword ptr fs:[00000030h]		0_2_02B162F3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B12820 mov eax, dword ptr fs:[00000030h]		0_2_02B12820
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B1286A mov eax, dword ptr fs:[00000030h]		0_2_02B1286A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B137B6 mov eax, dword ptr fs:[00000030h]		0_2_02B137B6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B11F55 mov eax, dword ptr fs:[00000030h]		0_2_02B11F55
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B16D8A mov eax, dword ptr fs:[00000030h]		0_2_02B16D8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B16D34 mov eax, dword ptr fs:[00000030h]		0_2_02B16D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe	Code function: 0_2_02B15D47 mov eax, dword ptr fs:[00000030h]		0_2_02B15D47

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe, 00000000.00000002.1514476148.0000000000C80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe, 00000000.00000002.1514476148.0000000000C80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe, 00000000.00000002.1514476148.0000000000C80000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe, 00000000.00000002.1514476148.0000000000C80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock