Source: Product Order 2070121_SN-WS.exe |
Virustotal: Detection: 35% |
Perma Link |
Source: Product Order 2070121_SN-WS.exe |
ReversingLabs: Detection: 12% |
Source: Product Order 2070121_SN-WS.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Product Order 2070121_SN-WS.exe, 00000000.00000002.743508753.00000000006EA000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: initial sample |
Icon embedded in PE file: bad icon match: 20047c7c70f0e004 |
Source: initial sample |
Static PE information: Filename: Product Order 2070121_SN-WS.exe |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_00403809 |
0_2_00403809 |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_00403436 |
0_2_00403436 |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_00403C3D |
0_2_00403C3D |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_004034CB |
0_2_004034CB |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_004038E2 |
0_2_004038E2 |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_00403481 |
0_2_00403481 |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_00403C87 |
0_2_00403C87 |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_00403899 |
0_2_00403899 |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_0040355D |
0_2_0040355D |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_0040397A |
0_2_0040397A |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_00403510 |
0_2_00403510 |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_00403D15 |
0_2_00403D15 |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_0040392B |
0_2_0040392B |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_004039C8 |
0_2_004039C8 |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_004031E0 |
0_2_004031E0 |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_004035FB |
0_2_004035FB |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_00403199 |
0_2_00403199 |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_004035AB |
0_2_004035AB |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_00403A4F |
0_2_00403A4F |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_00403A0D |
0_2_00403A0D |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_00403229 |
0_2_00403229 |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_0040363E |
0_2_0040363E |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_004036D6 |
0_2_004036D6 |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_00403AD9 |
0_2_00403AD9 |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_00403686 |
0_2_00403686 |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_00403A97 |
0_2_00403A97 |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_004032B6 |
0_2_004032B6 |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_004032B9 |
0_2_004032B9 |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_0040334E |
0_2_0040334E |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_00403B6C |
0_2_00403B6C |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_0040376D |
0_2_0040376D |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_00403303 |
0_2_00403303 |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_004033E5 |
0_2_004033E5 |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_00403BF3 |
0_2_00403BF3 |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_0040339B |
0_2_0040339B |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_00403BAF |
0_2_00403BAF |
Source: Product Order 2070121_SN-WS.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: Product Order 2070121_SN-WS.exe, 00000000.00000002.743120973.0000000000415000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameReselects1.exe vs Product Order 2070121_SN-WS.exe |
Source: Product Order 2070121_SN-WS.exe, 00000000.00000002.744030937.0000000002090000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs Product Order 2070121_SN-WS.exe |
Source: Product Order 2070121_SN-WS.exe |
Binary or memory string: OriginalFilenameReselects1.exe vs Product Order 2070121_SN-WS.exe |
Source: Product Order 2070121_SN-WS.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal88.rans.troj.evad.winEXE@1/0@0/0 |
Source: Product Order 2070121_SN-WS.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: Product Order 2070121_SN-WS.exe |
Virustotal: Detection: 35% |
Source: Product Order 2070121_SN-WS.exe |
ReversingLabs: Detection: 12% |
Source: Yara match |
File source: Process Memory Space: Product Order 2070121_SN-WS.exe PID: 6336, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Product Order 2070121_SN-WS.exe PID: 6336, type: MEMORY |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_00409005 push cs; retf |
0_2_00408FFF |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_00403269 push cs; retf |
0_2_0040326D |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_0040466F push ds; retf |
0_2_00404670 |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_00408FF4 push cs; retf |
0_2_00408FFF |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_020C3536 |
0_2_020C3536 |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
RDTSC instruction interceptor: First address: 00000000020C00EA second address: 00000000020C00EA instructions: |
Source: Product Order 2070121_SN-WS.exe, 00000000.00000002.744118229.00000000020C0000.00000040.00000001.sdmp |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEF |
Source: Product Order 2070121_SN-WS.exe |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
RDTSC instruction interceptor: First address: 00000000020C00EA second address: 00000000020C00EA instructions: |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
RDTSC instruction interceptor: First address: 00000000020C1F45 second address: 00000000020C1F45 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FFB20DF0C8Ah 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp ch, 00000073h 0x00000020 pop ecx 0x00000021 add edi, edx 0x00000023 jmp 00007FFB20DF0CD0h 0x00000025 dec ecx 0x00000026 cmp ecx, 00000000h 0x00000029 jne 00007FFB20DF0C20h 0x0000002b push ecx 0x0000002c call 00007FFB20DF0CFEh 0x00000031 call 00007FFB20DF0C9Ah 0x00000036 lfence 0x00000039 mov edx, dword ptr [7FFE0014h] 0x0000003f lfence 0x00000042 ret 0x00000043 mov esi, edx 0x00000045 pushad 0x00000046 rdtsc |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_020C4609 rdtsc |
0_2_020C4609 |
Source: Product Order 2070121_SN-WS.exe, 00000000.00000002.744118229.00000000020C0000.00000040.00000001.sdmp |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exef |
Source: Product Order 2070121_SN-WS.exe |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_020C4609 rdtsc |
0_2_020C4609 |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_020C3E13 mov eax, dword ptr fs:[00000030h] |
0_2_020C3E13 |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_020C3636 mov eax, dword ptr fs:[00000030h] |
0_2_020C3636 |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_020C1472 mov eax, dword ptr fs:[00000030h] |
0_2_020C1472 |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_020C0E88 mov eax, dword ptr fs:[00000030h] |
0_2_020C0E88 |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_020C3D53 mov eax, dword ptr fs:[00000030h] |
0_2_020C3D53 |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_020C397F mov eax, dword ptr fs:[00000030h] |
0_2_020C397F |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_020C1DEE mov eax, dword ptr fs:[00000030h] |
0_2_020C1DEE |
Source: C:\Users\user\Desktop\Product Order 2070121_SN-WS.exe |
Code function: 0_2_020C13F4 mov eax, dword ptr fs:[00000030h] |
0_2_020C13F4 |
Source: Product Order 2070121_SN-WS.exe, 00000000.00000002.743695185.0000000000C70000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: Product Order 2070121_SN-WS.exe, 00000000.00000002.743695185.0000000000C70000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: Product Order 2070121_SN-WS.exe, 00000000.00000002.743695185.0000000000C70000.00000002.00000001.sdmp |
Binary or memory string: SProgram Managerl |
Source: Product Order 2070121_SN-WS.exe, 00000000.00000002.743695185.0000000000C70000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd, |
Source: Product Order 2070121_SN-WS.exe, 00000000.00000002.743695185.0000000000C70000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |