Analysis Report Product Order 2070121_SN-WS.scr

Overview

General Information

Sample Name: Product Order 2070121_SN-WS.scr (renamed file extension from scr to exe)
Analysis ID: 358442
MD5: 1c6aec49b015d3ae4bee86b84bb37a42
SHA1: 9cfbd68f389d4106557b7daea67bb95b8c51eea7
SHA256: e1fdbaebafc61e8a7d21913134e3c83104805f2bdb932525108da2f3c35176ee
Tags: GuLoaderscr
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: Product Order 2070121_SN-WS.exe Virustotal: Detection: 35% Perma Link
Source: Product Order 2070121_SN-WS.exe ReversingLabs: Detection: 12%

Compliance:

barindex
Uses 32bit PE files
Source: Product Order 2070121_SN-WS.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: Product Order 2070121_SN-WS.exe, 00000000.00000002.743508753.00000000006EA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Product Order 2070121_SN-WS.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_00403809 0_2_00403809
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_00403436 0_2_00403436
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_00403C3D 0_2_00403C3D
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_004034CB 0_2_004034CB
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_004038E2 0_2_004038E2
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_00403481 0_2_00403481
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_00403C87 0_2_00403C87
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_00403899 0_2_00403899
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_0040355D 0_2_0040355D
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_0040397A 0_2_0040397A
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_00403510 0_2_00403510
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_00403D15 0_2_00403D15
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_0040392B 0_2_0040392B
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_004039C8 0_2_004039C8
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_004031E0 0_2_004031E0
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_004035FB 0_2_004035FB
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_00403199 0_2_00403199
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_004035AB 0_2_004035AB
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_00403A4F 0_2_00403A4F
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_00403A0D 0_2_00403A0D
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_00403229 0_2_00403229
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_0040363E 0_2_0040363E
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_004036D6 0_2_004036D6
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_00403AD9 0_2_00403AD9
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_00403686 0_2_00403686
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_00403A97 0_2_00403A97
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_004032B6 0_2_004032B6
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_004032B9 0_2_004032B9
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_0040334E 0_2_0040334E
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_00403B6C 0_2_00403B6C
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_0040376D 0_2_0040376D
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_00403303 0_2_00403303
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_004033E5 0_2_004033E5
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_00403BF3 0_2_00403BF3
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_0040339B 0_2_0040339B
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_00403BAF 0_2_00403BAF
PE file contains strange resources
Source: Product Order 2070121_SN-WS.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Product Order 2070121_SN-WS.exe, 00000000.00000002.743120973.0000000000415000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameReselects1.exe vs Product Order 2070121_SN-WS.exe
Source: Product Order 2070121_SN-WS.exe, 00000000.00000002.744030937.0000000002090000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs Product Order 2070121_SN-WS.exe
Source: Product Order 2070121_SN-WS.exe Binary or memory string: OriginalFilenameReselects1.exe vs Product Order 2070121_SN-WS.exe
Uses 32bit PE files
Source: Product Order 2070121_SN-WS.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal88.rans.troj.evad.winEXE@1/0@0/0
Source: Product Order 2070121_SN-WS.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Product Order 2070121_SN-WS.exe Virustotal: Detection: 35%
Source: Product Order 2070121_SN-WS.exe ReversingLabs: Detection: 12%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: Product Order 2070121_SN-WS.exe PID: 6336, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: Product Order 2070121_SN-WS.exe PID: 6336, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_00409005 push cs; retf 0_2_00408FFF
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_00403269 push cs; retf 0_2_0040326D
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_0040466F push ds; retf 0_2_00404670
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_00408FF4 push cs; retf 0_2_00408FFF
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_020C3536 0_2_020C3536
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe RDTSC instruction interceptor: First address: 00000000020C00EA second address: 00000000020C00EA instructions:
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Product Order 2070121_SN-WS.exe, 00000000.00000002.744118229.00000000020C0000.00000040.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEF
Source: Product Order 2070121_SN-WS.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe RDTSC instruction interceptor: First address: 00000000020C00EA second address: 00000000020C00EA instructions:
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe RDTSC instruction interceptor: First address: 00000000020C1F45 second address: 00000000020C1F45 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FFB20DF0C8Ah 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp ch, 00000073h 0x00000020 pop ecx 0x00000021 add edi, edx 0x00000023 jmp 00007FFB20DF0CD0h 0x00000025 dec ecx 0x00000026 cmp ecx, 00000000h 0x00000029 jne 00007FFB20DF0C20h 0x0000002b push ecx 0x0000002c call 00007FFB20DF0CFEh 0x00000031 call 00007FFB20DF0C9Ah 0x00000036 lfence 0x00000039 mov edx, dword ptr [7FFE0014h] 0x0000003f lfence 0x00000042 ret 0x00000043 mov esi, edx 0x00000045 pushad 0x00000046 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_020C4609 rdtsc 0_2_020C4609
Source: Product Order 2070121_SN-WS.exe, 00000000.00000002.744118229.00000000020C0000.00000040.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exef
Source: Product Order 2070121_SN-WS.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_020C4609 rdtsc 0_2_020C4609
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_020C3E13 mov eax, dword ptr fs:[00000030h] 0_2_020C3E13
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_020C3636 mov eax, dword ptr fs:[00000030h] 0_2_020C3636
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_020C1472 mov eax, dword ptr fs:[00000030h] 0_2_020C1472
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_020C0E88 mov eax, dword ptr fs:[00000030h] 0_2_020C0E88
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_020C3D53 mov eax, dword ptr fs:[00000030h] 0_2_020C3D53
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_020C397F mov eax, dword ptr fs:[00000030h] 0_2_020C397F
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_020C1DEE mov eax, dword ptr fs:[00000030h] 0_2_020C1DEE
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe Code function: 0_2_020C13F4 mov eax, dword ptr fs:[00000030h] 0_2_020C13F4
Source: Product Order 2070121_SN-WS.exe, 00000000.00000002.743695185.0000000000C70000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Product Order 2070121_SN-WS.exe, 00000000.00000002.743695185.0000000000C70000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Product Order 2070121_SN-WS.exe, 00000000.00000002.743695185.0000000000C70000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: Product Order 2070121_SN-WS.exe, 00000000.00000002.743695185.0000000000C70000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: Product Order 2070121_SN-WS.exe, 00000000.00000002.743695185.0000000000C70000.00000002.00000001.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 358442 Sample: Product Order 2070121_SN-WS.scr Startdate: 25/02/2021 Architecture: WINDOWS Score: 88 7 Potential malicious icon found 2->7 9 Multi AV Scanner detection for submitted file 2->9 11 Yara detected GuLoader 2->11 13 6 other signatures 2->13 5 Product Order 2070121_SN-WS.exe 1 2->5         started        process3
No contacted IP infos