Source: Order 3350191107102300.bat.exe |
Virustotal: Detection: 39% |
Perma Link |
Source: Order 3350191107102300.bat.exe |
ReversingLabs: Detection: 37% |
Source: Order 3350191107102300.bat.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Order 3350191107102300.bat.exe, 00000000.00000002.744618411.000000000078A000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: initial sample |
Icon embedded in PE file: bad icon match: 20047c7c70f0e004 |
Source: initial sample |
Static PE information: Filename: Order 3350191107102300.bat.exe |
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe |
Code function: 0_2_004012C4 |
0_2_004012C4 |
Source: Order 3350191107102300.bat.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: Order 3350191107102300.bat.exe, 00000000.00000000.218631460.000000000040F000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameCODFISH.exe vs Order 3350191107102300.bat.exe |
Source: Order 3350191107102300.bat.exe, 00000000.00000002.744578137.0000000000750000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs Order 3350191107102300.bat.exe |
Source: Order 3350191107102300.bat.exe |
Binary or memory string: OriginalFilenameCODFISH.exe vs Order 3350191107102300.bat.exe |
Source: Order 3350191107102300.bat.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal80.rans.troj.evad.winEXE@1/0@0/0 |
Source: Order 3350191107102300.bat.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: Order 3350191107102300.bat.exe |
Virustotal: Detection: 39% |
Source: Order 3350191107102300.bat.exe |
ReversingLabs: Detection: 37% |
Source: Yara match |
File source: Process Memory Space: Order 3350191107102300.bat.exe PID: 3276, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Order 3350191107102300.bat.exe PID: 3276, type: MEMORY |
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe |
Code function: 0_2_0040504D push edi; ret |
0_2_00405055 |
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe |
Code function: 0_2_00404A52 pushad ; iretd |
0_2_00404A5C |
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe |
Code function: 0_2_00405062 push edi; ret |
0_2_0040506D |
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe |
Code function: 0_2_0040522D pushfd ; retf |
0_2_00405230 |
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe |
Code function: 0_2_00405C3C pushfd ; ret |
0_2_00405C47 |
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe |
Code function: 0_2_00403CCC push ecx; ret |
0_2_00403CCD |
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe |
Code function: 0_2_00408972 push ebx; retf |
0_2_00408975 |
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe |
Code function: 0_2_00409102 pushad ; iretd |
0_2_00409108 |
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe |
Code function: 0_2_00408926 pushad ; retf |
0_2_00408940 |
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe |
Code function: 0_2_004059A8 push cs; ret |
0_2_004059A9 |
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe |
Code function: 0_2_02A862B0 push eax; ret |
0_2_02A862B1 |
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe |
Code function: 0_2_02A85E99 push F6FE382Ah; ret |
0_2_02A85E9F |
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe |
Code function: 0_2_02A83E9F push ebx; iretd |
0_2_02A83EA0 |
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe |
Code function: 0_2_02A84628 pushfd ; retf |
0_2_02A84634 |
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe |
Code function: 0_2_02A85B34 push edi; ret |
0_2_02A85B36 |
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe |
Code function: 0_2_02A8347F push eax; ret |
0_2_02A83488 |
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe |
Code function: 0_2_02A81951 push es; retf |
0_2_02A81952 |
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: Order 3350191107102300.bat.exe, 00000000.00000002.746595733.0000000002A80000.00000040.00000001.sdmp |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEF9 |
Source: Order 3350191107102300.bat.exe |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe |
RDTSC instruction interceptor: First address: 0000000002A83066 second address: 0000000002A83066 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F2BA038A159h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test cx, 6B86h 0x00000022 pop ecx 0x00000023 jmp 00007F2BA038A152h 0x00000025 test eax, eax 0x00000027 add edi, edx 0x00000029 cmp bl, cl 0x0000002b dec ecx 0x0000002c cmp ecx, 00000000h 0x0000002f jne 00007F2BA038A0F2h 0x00000031 cmp bl, dl 0x00000033 push ecx 0x00000034 cmp eax, ecx 0x00000036 test ch, ah 0x00000038 call 00007F2BA038A178h 0x0000003d call 00007F2BA038A169h 0x00000042 lfence 0x00000045 mov edx, dword ptr [7FFE0014h] 0x0000004b lfence 0x0000004e ret 0x0000004f mov esi, edx 0x00000051 pushad 0x00000052 rdtsc |
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe |
Code function: 0_2_02A8329B rdtsc |
0_2_02A8329B |
Source: Order 3350191107102300.bat.exe, 00000000.00000002.746595733.0000000002A80000.00000040.00000001.sdmp |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exef9 |
Source: Order 3350191107102300.bat.exe |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe |
Code function: 0_2_02A8329B rdtsc |
0_2_02A8329B |
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe |
Code function: 0_2_02A82EE9 mov eax, dword ptr fs:[00000030h] |
0_2_02A82EE9 |
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe |
Code function: 0_2_02A81FD2 mov eax, dword ptr fs:[00000030h] |
0_2_02A81FD2 |
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe |
Code function: 0_2_02A81FD7 mov eax, dword ptr fs:[00000030h] |
0_2_02A81FD7 |
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe |
Code function: 0_2_02A858EA mov eax, dword ptr fs:[00000030h] |
0_2_02A858EA |
Source: C:\Users\user\Desktop\Order 3350191107102300.bat.exe |
Code function: 0_2_02A854F3 mov eax, dword ptr fs:[00000030h] |
0_2_02A854F3 |
Source: Order 3350191107102300.bat.exe, 00000000.00000002.744733487.0000000000E10000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: Order 3350191107102300.bat.exe, 00000000.00000002.744733487.0000000000E10000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: Order 3350191107102300.bat.exe, 00000000.00000002.744733487.0000000000E10000.00000002.00000001.sdmp |
Binary or memory string: SProgram Managerl |
Source: Order 3350191107102300.bat.exe, 00000000.00000002.744733487.0000000000E10000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd, |
Source: Order 3350191107102300.bat.exe, 00000000.00000002.744733487.0000000000E10000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |