Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Variant.Razy.845229.27038.1852

Overview

General Information

Sample Name:SecuriteInfo.com.Variant.Razy.845229.27038.1852 (renamed file extension from 1852 to exe)
Analysis ID:356590
MD5:869eae0220a293dcabf4051dd323bbd8
SHA1:395e7683548c8a25c4963e3e3c56b04b76dbf0b7
SHA256:496fa2a5a6abbc22d6a4c63e31847156d61c240d8e3a793e1b4de46e09827b52
Tags:GuLoader

Most interesting Screenshot:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • SecuriteInfo.com.Variant.Razy.845229.27038.exe (PID: 7064 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe' MD5: 869EAE0220A293DCABF4051DD323BBD8)
    • SecuriteInfo.com.Variant.Razy.845229.27038.exe (PID: 6440 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe' MD5: 869EAE0220A293DCABF4051DD323BBD8)
      • wscript.exe (PID: 6260 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
        • cmd.exe (PID: 4272 cmdline: 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • win.exe (PID: 4720 cmdline: C:\Users\user\AppData\Roaming\win.exe MD5: 869EAE0220A293DCABF4051DD323BBD8)
  • win.exe (PID: 1636 cmdline: 'C:\Users\user\AppData\Roaming\win.exe' MD5: 869EAE0220A293DCABF4051DD323BBD8)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000003.820991756.000000000094C000.00000004.00000001.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x11c7c:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
Process Memory Space: SecuriteInfo.com.Variant.Razy.845229.27038.exe PID: 6440JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
    Process Memory Space: SecuriteInfo.com.Variant.Razy.845229.27038.exe PID: 6440JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for domain / URLShow sources
      Source: mtspsmjeli.sch.idVirustotal: Detection: 12%Perma Link
      Source: http://mtspsmjeli.sch.id/cl/Jice_remcos%202_tfkxJbdn252.binVirustotal: Detection: 13%Perma Link
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\win.exeVirustotal: Detection: 35%Perma Link
      Source: C:\Users\user\AppData\Roaming\win.exeReversingLabs: Detection: 39%
      Multi AV Scanner detection for submitted fileShow sources
      Source: SecuriteInfo.com.Variant.Razy.845229.27038.exeVirustotal: Detection: 35%Perma Link
      Source: SecuriteInfo.com.Variant.Razy.845229.27038.exeReversingLabs: Detection: 39%
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\win.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: SecuriteInfo.com.Variant.Razy.845229.27038.exeJoe Sandbox ML: detected

      Compliance:

      barindex
      Uses 32bit PE filesShow sources
      Source: SecuriteInfo.com.Variant.Razy.845229.27038.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: Joe Sandbox ViewIP Address: 103.150.60.242 103.150.60.242
      Source: Joe Sandbox ViewASN Name: PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID
      Source: global trafficHTTP traffic detected: GET /cl/Jice_remcos%202_tfkxJbdn252.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mtspsmjeli.sch.idCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /cl/Jice_remcos%202_tfkxJbdn252.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mtspsmjeli.sch.idCache-Control: no-cache
      Source: unknownDNS traffic detected: queries for: mtspsmjeli.sch.id
      Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmpString found in binary or memory: http://mtspsmjeli.sch.id/cl/Jice_remcos%202_tfkxJbdn252.bin

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000013.00000003.820991756.000000000094C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 19_2_0056688B NtProtectVirtualMemory,19_2_0056688B
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 19_2_005604B6 EnumWindows,NtSetInformationThread,19_2_005604B6
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 19_2_00565209 NtSetInformationThread,19_2_00565209
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 19_2_0056506B NtSetInformationThread,19_2_0056506B
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 19_2_0056057F NtSetInformationThread,19_2_0056057F
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 19_2_005605B2 NtSetInformationThread,19_2_005605B2
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 19_2_00563635 NtSetInformationThread,LdrInitializeThunk,19_2_00563635
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 19_2_00560629 NtSetInformationThread,19_2_00560629
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 19_2_0056069F NtSetInformationThread,19_2_0056069F
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 19_2_00561AA2 NtSetInformationThread,19_2_00561AA2
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 19_2_00560F41 NtProtectVirtualMemory,19_2_00560F41
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 19_2_00560F23 NtProtectVirtualMemory,19_2_00560F23
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_004054541_2_00405454
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_004058721_2_00405872
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_00402C011_2_00402C01
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_004058141_2_00405814
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_004054291_2_00405429
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_004054C11_2_004054C1
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_004054C31_2_004054C3
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_004054C51_2_004054C5
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_004054C71_2_004054C7
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_004054C91_2_004054C9
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_004058CB1_2_004058CB
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_004054E01_2_004054E0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_004058F71_2_004058F7
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_004054881_2_00405488
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_0040589C1_2_0040589C
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_004054AC1_2_004054AC
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_004054B31_2_004054B3
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_004054B51_2_004054B5
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_004054B71_2_004054B7
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_004054B91_2_004054B9
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_004054BB1_2_004054BB
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_004054BD1_2_004054BD
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_004059541_2_00405954
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_0040556C1_2_0040556C
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_0040550A1_2_0040550A
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_0040513D1_2_0040513D
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_0040553D1_2_0040553D
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_004049E31_2_004049E3
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_004055EA1_2_004055EA
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_00404DA21_2_00404DA2
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_0040525A1_2_0040525A
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_00405A061_2_00405A06
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_0040561E1_2_0040561E
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_0040522C1_2_0040522C
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_004056DE1_2_004056DE
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_004056821_2_00405682
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_004052AB1_2_004052AB
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_00404B4D1_2_00404B4D
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_004057501_2_00405750
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_0040536C1_2_0040536C
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_0040576D1_2_0040576D
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_0040530B1_2_0040530B
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_004053371_2_00405337
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_004057C01_2_004057C0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_004057EF1_2_004057EF
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_004053FB1_2_004053FB
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_00404BFE1_2_00404BFE
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_0040539A1_2_0040539A
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_0040579A1_2_0040579A
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_004043B61_2_004043B6
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 19_2_0056585319_2_00565853
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 19_2_00561C9A19_2_00561C9A
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 19_2_005656D919_2_005656D9
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 19_2_00561B0119_2_00561B01
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 19_2_00564FCA19_2_00564FCA
      Source: SecuriteInfo.com.Variant.Razy.845229.27038.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: win.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCOLLUMELLIACEOUSFR.exe vs SecuriteInfo.com.Variant.Razy.845229.27038.exe
      Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000001.00000002.803089059.0000000002130000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Variant.Razy.845229.27038.exe
      Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000000.801506120.0000000000418000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCOLLUMELLIACEOUSFR.exe vs SecuriteInfo.com.Variant.Razy.845229.27038.exe
      Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.828115877.000000001E290000.00000002.00000001.sdmpBinary or memory string: originalfilename vs SecuriteInfo.com.Variant.Razy.845229.27038.exe
      Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.828115877.000000001E290000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs SecuriteInfo.com.Variant.Razy.845229.27038.exe
      Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.824158146.0000000000936000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamewscript.exe.mui` vs SecuriteInfo.com.Variant.Razy.845229.27038.exe
      Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.824158146.0000000000936000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs SecuriteInfo.com.Variant.Razy.845229.27038.exe
      Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.827975681.000000001E180000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs SecuriteInfo.com.Variant.Razy.845229.27038.exe
      Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.827894653.000000001DEB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs SecuriteInfo.com.Variant.Razy.845229.27038.exe
      Source: SecuriteInfo.com.Variant.Razy.845229.27038.exeBinary or memory string: OriginalFilenameCOLLUMELLIACEOUSFR.exe vs SecuriteInfo.com.Variant.Razy.845229.27038.exe
      Source: SecuriteInfo.com.Variant.Razy.845229.27038.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: 00000013.00000003.820991756.000000000094C000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: classification engineClassification label: mal100.troj.evad.winEXE@10/3@1/1
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeFile created: C:\Users\user\AppData\Roaming\win.exeJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeMutant created: \Sessions\1\BaseNamedObjects\Remcos-E2OTZW
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6156:120:WilError_01
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeFile created: C:\Users\user\AppData\Local\Temp\~DFE447D3F5160C9423.TMPJump to behavior
      Source: unknownProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
      Source: SecuriteInfo.com.Variant.Razy.845229.27038.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\win.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\win.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: SecuriteInfo.com.Variant.Razy.845229.27038.exeVirustotal: Detection: 35%
      Source: SecuriteInfo.com.Variant.Razy.845229.27038.exeReversingLabs: Detection: 39%
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' Jump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe'Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exeJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Variant.Razy.845229.27038.exe PID: 6440, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Variant.Razy.845229.27038.exe PID: 6440, type: MEMORY
      Source: win.exe.19.drStatic PE information: real checksum: 0x25c49 should be: 0x22c7a
      Source: SecuriteInfo.com.Variant.Razy.845229.27038.exeStatic PE information: real checksum: 0x25c49 should be: 0x22c7a
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_0040B0A6 push ds; retf 1_2_0040B140
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 1_2_004059D2 push ss; iretd 1_2_004059D3
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 19_2_005642B4 push ebp; iretd 19_2_005642D9
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeFile created: C:\Users\user\AppData\Roaming\win.exeJump to dropped file
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run winJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run winJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeRDTSC instruction interceptor: First address: 0000000000543047 second address: 0000000000543047 instructions:
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeRDTSC instruction interceptor: First address: 00000000005620EF second address: 00000000005620EF instructions:
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: SecuriteInfo.com.Variant.Razy.845229.27038.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeRDTSC instruction interceptor: First address: 0000000000543047 second address: 0000000000543047 instructions:
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeRDTSC instruction interceptor: First address: 00000000005620EF second address: 00000000005620EF instructions:
      Source: C:\Windows\SysWOW64\wscript.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 19_2_00566C78 rdtsc 19_2_00566C78
      Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.824158146.0000000000936000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWo
      Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.824158146.0000000000936000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:U
      Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.824158146.0000000000936000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
      Source: SecuriteInfo.com.Variant.Razy.845229.27038.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 19_2_005604B6 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0000000019_2_005604B6
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 19_2_00566C78 rdtsc 19_2_00566C78
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 19_2_00563E23 LdrInitializeThunk,19_2_00563E23
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 19_2_00562286 mov eax, dword ptr fs:[00000030h]19_2_00562286
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 19_2_00563008 mov eax, dword ptr fs:[00000030h]19_2_00563008
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 19_2_00562034 mov eax, dword ptr fs:[00000030h]19_2_00562034
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 19_2_005661D3 mov eax, dword ptr fs:[00000030h]19_2_005661D3
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 19_2_005661C4 mov eax, dword ptr fs:[00000030h]19_2_005661C4
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 19_2_00564A7C mov eax, dword ptr fs:[00000030h]19_2_00564A7C
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 19_2_00566207 mov eax, dword ptr fs:[00000030h]19_2_00566207
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 19_2_00561AA2 mov eax, dword ptr fs:[00000030h]19_2_00561AA2
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 19_2_005622A1 mov eax, dword ptr fs:[00000030h]19_2_005622A1
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeCode function: 19_2_00565364 mov eax, dword ptr fs:[00000030h]19_2_00565364
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' Jump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe'Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exeJump to behavior
      Source: win.exe, 00000017.00000002.850782313.0000000000C40000.00000002.00000001.sdmp, win.exe, 00000018.00000002.850433876.0000000000CD0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: win.exe, 00000017.00000002.850782313.0000000000C40000.00000002.00000001.sdmp, win.exe, 00000018.00000002.850433876.0000000000CD0000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: win.exe, 00000017.00000002.850782313.0000000000C40000.00000002.00000001.sdmp, win.exe, 00000018.00000002.850433876.0000000000CD0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
      Source: win.exe, 00000017.00000002.850782313.0000000000C40000.00000002.00000001.sdmp, win.exe, 00000018.00000002.850433876.0000000000CD0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsScripting11Registry Run Keys / Startup Folder1Process Injection12Masquerading1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Virtualization/Sandbox Evasion22LSASS MemorySecurity Software Discovery731Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerVirtualization/Sandbox Evasion22SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting11NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery212Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

      Behavior Graph