Source: Remittance advice.exe |
Virustotal: Detection: 45% |
Perma Link |
Source: Remittance advice.exe |
ReversingLabs: Detection: 36% |
Source: Remittance advice.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 4x nop then lfence |
0_2_0040425D |
Source: Remittance advice.exe, 00000000.00000002.1328575340.000000000067A000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: C:\Users\user\Desktop\Remittance advice.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_00405DCE |
0_2_00405DCE |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_00406E03 |
0_2_00406E03 |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_00406EE2 |
0_2_00406EE2 |
Source: Remittance advice.exe, 00000000.00000002.1327563785.0000000000417000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameEnantiopathia6.exe vs Remittance advice.exe |
Source: Remittance advice.exe, 00000000.00000002.1329075986.0000000002230000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs Remittance advice.exe |
Source: Remittance advice.exe |
Binary or memory string: OriginalFilenameEnantiopathia6.exe vs Remittance advice.exe |
Source: Remittance advice.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal72.troj.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\Remittance advice.exe |
File created: C:\Users\user\AppData\Local\Temp\~DFACCDFEC25FC090FE.TMP |
Jump to behavior |
Source: Remittance advice.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: Remittance advice.exe |
Virustotal: Detection: 45% |
Source: Remittance advice.exe |
ReversingLabs: Detection: 36% |
Source: Yara match |
File source: Process Memory Space: Remittance advice.exe PID: 6336, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Remittance advice.exe PID: 6336, type: MEMORY |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_0040182E push edi; iretd |
0_2_0040182F |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_0040882E push ds; ret |
0_2_0040884D |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_004020D6 push edi; iretd |
0_2_004020D7 |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_00408152 push es; iretd |
0_2_00408154 |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_0040B10A push es; iretd |
0_2_0040B22C |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_00409120 push es; iretd |
0_2_00409124 |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_004081CC push es; iretd |
0_2_004081D8 |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_004092C9 push es; iretd |
0_2_004092CC |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_00408AE9 pushad ; ret |
0_2_00408B20 |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_0040A37F push es; iretd |
0_2_0040A380 |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_00408B2E push ecx; iretd |
0_2_00408B34 |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_0040A381 push es; iretd |
0_2_0040A390 |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_0040A391 push es; iretd |
0_2_0040A3A0 |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_00409393 push es; ret |
0_2_00409398 |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_0040A3A1 push es; iretd |
0_2_0040A3B0 |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_004093B2 push es; iretd |
0_2_004094E4 |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_00409C7F pushad ; ret |
0_2_00409C80 |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_00409C36 push es; ret |
0_2_00409C3C |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_0040A4C6 push es; iretd |
0_2_0040A4C8 |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_00409CDA push es; ret |
0_2_00409D4C |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_0040A4E6 push es; ret |
0_2_0040A554 |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_004094E8 push es; iretd |
0_2_004094F0 |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_0040A566 push es; iretd |
0_2_0040A5A4 |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_0040A532 push es; ret |
0_2_0040A554 |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_0040A532 push es; iretd |
0_2_0040A5A4 |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_0040A532 push es; ret |
0_2_0040A614 |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_004085F1 pushad ; ret |
0_2_004085F4 |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_0040A5B2 push es; ret |
0_2_0040A614 |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_00408DB8 push cs; iretd |
0_2_00408DBC |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_004056C2 push ss; retf |
0_2_004056C3 |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_00409E9C pushfd ; retf |
0_2_00409E9D |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: Remittance advice.exe, 00000000.00000002.1327620350.0000000000460000.00000040.00000001.sdmp |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEF |
Source: Remittance advice.exe |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: C:\Users\user\Desktop\Remittance advice.exe |
RDTSC instruction interceptor: First address: 0000000000403F92 second address: 0000000000403F92 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 dec edi 0x00000004 jmp 00007F5D84D1C3D7h 0x00000006 cmp edi, 00000000h 0x00000009 jne 00007F5D84D1C393h 0x0000000b pushad 0x0000000c jmp 00007F5D84D1C3CEh 0x0000000e rdtsc |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_00403D4F rdtsc |
0_2_00403D4F |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: Remittance advice.exe, 00000000.00000002.1327620350.0000000000460000.00000040.00000001.sdmp |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exef |
Source: Remittance advice.exe |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_00403D4F rdtsc |
0_2_00403D4F |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_00461068 mov eax, dword ptr fs:[00000030h] |
0_2_00461068 |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_004632FE mov eax, dword ptr fs:[00000030h] |
0_2_004632FE |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_004613DF mov eax, dword ptr fs:[00000030h] |
0_2_004613DF |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_00463D88 mov eax, dword ptr fs:[00000030h] |
0_2_00463D88 |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_00463D97 mov eax, dword ptr fs:[00000030h] |
0_2_00463D97 |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_00461E88 mov eax, dword ptr fs:[00000030h] |
0_2_00461E88 |
Source: C:\Users\user\Desktop\Remittance advice.exe |
Code function: 0_2_004637AD mov eax, dword ptr fs:[00000030h] |
0_2_004637AD |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: Remittance advice.exe, 00000000.00000002.1328805905.0000000000D00000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: Remittance advice.exe, 00000000.00000002.1328805905.0000000000D00000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: Remittance advice.exe, 00000000.00000002.1328805905.0000000000D00000.00000002.00000001.sdmp |
Binary or memory string: SProgram Managerl |
Source: Remittance advice.exe, 00000000.00000002.1328805905.0000000000D00000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd, |
Source: Remittance advice.exe, 00000000.00000002.1328805905.0000000000D00000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |