Analysis Report SecuriteInfo.com.Variant.Razy.845229.27038.1852

Overview

General Information

Sample Name: SecuriteInfo.com.Variant.Razy.845229.27038.1852 (renamed file extension from 1852 to exe)
Analysis ID: 356590
MD5: 869eae0220a293dcabf4051dd323bbd8
SHA1: 395e7683548c8a25c4963e3e3c56b04b76dbf0b7
SHA256: 496fa2a5a6abbc22d6a4c63e31847156d61c240d8e3a793e1b4de46e09827b52
Tags: GuLoader

Most interesting Screenshot:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Multi AV Scanner detection for domain / URL
Source: mtspsmjeli.sch.id Virustotal: Detection: 12% Perma Link
Source: http://mtspsmjeli.sch.id/cl/Jice_remcos%202_tfkxJbdn252.bin Virustotal: Detection: 13% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\win.exe Virustotal: Detection: 35% Perma Link
Source: C:\Users\user\AppData\Roaming\win.exe ReversingLabs: Detection: 39%
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe Virustotal: Detection: 35% Perma Link
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe ReversingLabs: Detection: 39%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\win.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 103.150.60.242 103.150.60.242
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /cl/Jice_remcos%202_tfkxJbdn252.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mtspsmjeli.sch.idCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /cl/Jice_remcos%202_tfkxJbdn252.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mtspsmjeli.sch.idCache-Control: no-cache
Source: unknown DNS traffic detected: queries for: mtspsmjeli.sch.id
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp String found in binary or memory: http://mtspsmjeli.sch.id/cl/Jice_remcos%202_tfkxJbdn252.bin

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000013.00000003.820991756.000000000094C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 19_2_0056688B NtProtectVirtualMemory, 19_2_0056688B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 19_2_005604B6 EnumWindows,NtSetInformationThread, 19_2_005604B6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 19_2_00565209 NtSetInformationThread, 19_2_00565209
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 19_2_0056506B NtSetInformationThread, 19_2_0056506B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 19_2_0056057F NtSetInformationThread, 19_2_0056057F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 19_2_005605B2 NtSetInformationThread, 19_2_005605B2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 19_2_00563635 NtSetInformationThread,LdrInitializeThunk, 19_2_00563635
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 19_2_00560629 NtSetInformationThread, 19_2_00560629
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 19_2_0056069F NtSetInformationThread, 19_2_0056069F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 19_2_00561AA2 NtSetInformationThread, 19_2_00561AA2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 19_2_00560F41 NtProtectVirtualMemory, 19_2_00560F41
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 19_2_00560F23 NtProtectVirtualMemory, 19_2_00560F23
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_00405454 1_2_00405454
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_00405872 1_2_00405872
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_00402C01 1_2_00402C01
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_00405814 1_2_00405814
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_00405429 1_2_00405429
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_004054C1 1_2_004054C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_004054C3 1_2_004054C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_004054C5 1_2_004054C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_004054C7 1_2_004054C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_004054C9 1_2_004054C9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_004058CB 1_2_004058CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_004054E0 1_2_004054E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_004058F7 1_2_004058F7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_00405488 1_2_00405488
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_0040589C 1_2_0040589C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_004054AC 1_2_004054AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_004054B3 1_2_004054B3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_004054B5 1_2_004054B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_004054B7 1_2_004054B7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_004054B9 1_2_004054B9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_004054BB 1_2_004054BB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_004054BD 1_2_004054BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_00405954 1_2_00405954
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_0040556C 1_2_0040556C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_0040550A 1_2_0040550A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_0040513D 1_2_0040513D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_0040553D 1_2_0040553D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_004049E3 1_2_004049E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_004055EA 1_2_004055EA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_00404DA2 1_2_00404DA2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_0040525A 1_2_0040525A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_00405A06 1_2_00405A06
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_0040561E 1_2_0040561E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_0040522C 1_2_0040522C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_004056DE 1_2_004056DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_00405682 1_2_00405682
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_004052AB 1_2_004052AB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_00404B4D 1_2_00404B4D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_00405750 1_2_00405750
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_0040536C 1_2_0040536C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_0040576D 1_2_0040576D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_0040530B 1_2_0040530B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_00405337 1_2_00405337
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_004057C0 1_2_004057C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_004057EF 1_2_004057EF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_004053FB 1_2_004053FB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_00404BFE 1_2_00404BFE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_0040539A 1_2_0040539A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_0040579A 1_2_0040579A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_004043B6 1_2_004043B6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 19_2_00565853 19_2_00565853
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 19_2_00561C9A 19_2_00561C9A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 19_2_005656D9 19_2_005656D9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 19_2_00561B01 19_2_00561B01
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 19_2_00564FCA 19_2_00564FCA
PE file contains strange resources
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: win.exe.19.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameCOLLUMELLIACEOUSFR.exe vs SecuriteInfo.com.Variant.Razy.845229.27038.exe
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000001.00000002.803089059.0000000002130000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Variant.Razy.845229.27038.exe
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000000.801506120.0000000000418000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameCOLLUMELLIACEOUSFR.exe vs SecuriteInfo.com.Variant.Razy.845229.27038.exe
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.828115877.000000001E290000.00000002.00000001.sdmp Binary or memory string: originalfilename vs SecuriteInfo.com.Variant.Razy.845229.27038.exe
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.828115877.000000001E290000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs SecuriteInfo.com.Variant.Razy.845229.27038.exe
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.824158146.0000000000936000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamewscript.exe.mui` vs SecuriteInfo.com.Variant.Razy.845229.27038.exe
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.824158146.0000000000936000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamewscript.exe` vs SecuriteInfo.com.Variant.Razy.845229.27038.exe
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.827975681.000000001E180000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs SecuriteInfo.com.Variant.Razy.845229.27038.exe
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.827894653.000000001DEB0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs SecuriteInfo.com.Variant.Razy.845229.27038.exe
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe Binary or memory string: OriginalFilenameCOLLUMELLIACEOUSFR.exe vs SecuriteInfo.com.Variant.Razy.845229.27038.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 00000013.00000003.820991756.000000000094C000.00000004.00000001.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: classification engine Classification label: mal100.troj.evad.winEXE@10/3@1/1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe File created: C:\Users\user\AppData\Roaming\win.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Mutant created: \Sessions\1\BaseNamedObjects\Remcos-E2OTZW
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6156:120:WilError_01
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe File created: C:\Users\user\AppData\Local\Temp\~DFE447D3F5160C9423.TMP Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe Virustotal: Detection: 35%
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe'
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe'
Source: unknown Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Variant.Razy.845229.27038.exe PID: 6440, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Variant.Razy.845229.27038.exe PID: 6440, type: MEMORY
PE file contains an invalid checksum
Source: win.exe.19.dr Static PE information: real checksum: 0x25c49 should be: 0x22c7a
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe Static PE information: real checksum: 0x25c49 should be: 0x22c7a
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_0040B0A6 push ds; retf 1_2_0040B140
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 1_2_004059D2 push ss; iretd 1_2_004059D3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 19_2_005642B4 push ebp; iretd 19_2_005642D9

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe File created: C:\Users\user\AppData\Roaming\win.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run win Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run win Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe RDTSC instruction interceptor: First address: 0000000000543047 second address: 0000000000543047 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe RDTSC instruction interceptor: First address: 00000000005620EF second address: 00000000005620EF instructions:
Tries to detect Any.run
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe RDTSC instruction interceptor: First address: 0000000000543047 second address: 0000000000543047 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe RDTSC instruction interceptor: First address: 00000000005620EF second address: 00000000005620EF instructions:
Contains capabilities to detect virtual machines
Source: C:\Windows\SysWOW64\wscript.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 19_2_00566C78 rdtsc 19_2_00566C78
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.824158146.0000000000936000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAWo
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.824158146.0000000000936000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:U
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.824158146.0000000000936000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 19_2_005604B6 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000 19_2_005604B6
Hides threads from debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 19_2_00566C78 rdtsc 19_2_00566C78
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 19_2_00563E23 LdrInitializeThunk, 19_2_00563E23
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 19_2_00562286 mov eax, dword ptr fs:[00000030h] 19_2_00562286
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 19_2_00563008 mov eax, dword ptr fs:[00000030h] 19_2_00563008
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 19_2_00562034 mov eax, dword ptr fs:[00000030h] 19_2_00562034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 19_2_005661D3 mov eax, dword ptr fs:[00000030h] 19_2_005661D3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 19_2_005661C4 mov eax, dword ptr fs:[00000030h] 19_2_005661C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 19_2_00564A7C mov eax, dword ptr fs:[00000030h] 19_2_00564A7C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 19_2_00566207 mov eax, dword ptr fs:[00000030h] 19_2_00566207
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 19_2_00561AA2 mov eax, dword ptr fs:[00000030h] 19_2_00561AA2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 19_2_005622A1 mov eax, dword ptr fs:[00000030h] 19_2_005622A1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Code function: 19_2_00565364 mov eax, dword ptr fs:[00000030h] 19_2_00565364

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe Jump to behavior
Source: win.exe, 00000017.00000002.850782313.0000000000C40000.00000002.00000001.sdmp, win.exe, 00000018.00000002.850433876.0000000000CD0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: win.exe, 00000017.00000002.850782313.0000000000C40000.00000002.00000001.sdmp, win.exe, 00000018.00000002.850433876.0000000000CD0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: win.exe, 00000017.00000002.850782313.0000000000C40000.00000002.00000001.sdmp, win.exe, 00000018.00000002.850433876.0000000000CD0000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: win.exe, 00000017.00000002.850782313.0000000000C40000.00000002.00000001.sdmp, win.exe, 00000018.00000002.850433876.0000000000CD0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 356590 Sample: SecuriteInfo.com.Variant.Ra... Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 38 Multi AV Scanner detection for domain / URL 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 4 other signatures 2->44 9 SecuriteInfo.com.Variant.Razy.845229.27038.exe 1 2->9         started        12 win.exe 1 2->12         started        process3 signatures4 50 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 9->50 52 Tries to detect virtualization through RDTSC time measurements 9->52 54 Contains functionality to hide a thread from the debugger 9->54 14 SecuriteInfo.com.Variant.Razy.845229.27038.exe 4 10 9->14         started        process5 dnsIp6 32 mtspsmjeli.sch.id 103.150.60.242, 49754, 80 PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID unknown 14->32 28 C:\Users\user\AppData\Roaming\win.exe, PE32 14->28 dropped 30 C:\Users\user\...\win.exe:Zone.Identifier, ASCII 14->30 dropped 34 Tries to detect Any.run 14->34 36 Hides threads from debuggers 14->36 19 wscript.exe 1 14->19         started        file7 signatures8 process9 process10 21 cmd.exe 1 19->21         started        process11 23 win.exe 1 21->23         started        26 conhost.exe 21->26         started        signatures12 46 Multi AV Scanner detection for dropped file 23->46 48 Machine Learning detection for dropped file 23->48
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.150.60.242
 unknown unknown
45325 PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID true

Contacted Domains

Name IP Active
mtspsmjeli.sch.id 103.150.60.242 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://mtspsmjeli.sch.id/cl/Jice_remcos%202_tfkxJbdn252.bin true
  • 13%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown