Analysis Report http://covid19vaccine.hopto.org/march%20OG.exe

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe.0mzlwub.partial	Virustotal: Detection: 76%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe.0mzlwub.partial	Metadefender: Detection: 24%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe.0mzlwub.partial	ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\march%20OG[1].exe	Metadefender: Detection: 24%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\march%20OG[1].exe	ReversingLabs: Detection: 82%

Multi AV Scanner detection for submitted file

Source: http://covid19vaccine.hopto.org/march%20OG.exe

Virustotal: Detection: 17%

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Software Vulnerabilities:

Potential browser exploit detected (process start blacklist hit)

Source: C:\Program Files\internet explorer\iexplore.exe

Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Networking:

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 09 Mar 2021 14:36:37 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.2Last-Modified: Wed, 03 Mar 2021 00:26:30 GMTETag: "17000-5bc96e70c1a4b"Accept-Ranges: bytesContent-Length: 94208Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b 23 c4 db cf 42 aa 88 cf 42 aa 88 cf 42 aa 88 4c 5e a4 88 ce 42 aa 88 80 60 a3 88 cd 42 aa 88 f9 64 a7 88 ce 42 aa 88 52 69 63 68 cf 42 aa 88 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 8c 5d 2f 4d 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 40 01 00 00 30 00 00 00 00 00 00 14 17 00 00 00 10 00 00 00 50 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 80 01 00 00 10 00 00 67 77 01 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 46 01 00 28 00 00 00 00 70 01 00 ac 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 90 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 2c 3d 01 00 00 10 00 00 00 40 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 08 12 00 00 00 50 01 00 00 10 00 00 00 50 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 ac 09 00 00 00 70 01 00 00 10 00 00 00 60 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic

HTTP traffic detected: GET /march%20OG.exe HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: covid19vaccine.hopto.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: covid19vaccine.hopto.org

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: march OG.exe, 00000011.00000002.450348913.000000000072A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232721 NtWriteVirtualMemory,	17_2_02232721
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_0223057F EnumWindows,NtSetInformationThread,	17_2_0223057F
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_022365EB NtProtectVirtualMemory,	17_2_022365EB
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_0223063C NtSetInformationThread,	17_2_0223063C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232A70 NtWriteVirtualMemory,	17_2_02232A70
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02231AB7 NtWriteVirtualMemory,	17_2_02231AB7
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_0223068C NtSetInformationThread,	17_2_0223068C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_022306E7 NtSetInformationThread,	17_2_022306E7
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232739 NtWriteVirtualMemory,	17_2_02232739
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232B04 NtWriteVirtualMemory,	17_2_02232B04
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232B53 NtWriteVirtualMemory,	17_2_02232B53
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_022327A1 NtWriteVirtualMemory,	17_2_022327A1
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232BAB NtWriteVirtualMemory,	17_2_02232BAB
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02235FF4 NtWriteVirtualMemory,	17_2_02235FF4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_022327DF NtWriteVirtualMemory,	17_2_022327DF
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232843 NtWriteVirtualMemory,	17_2_02232843
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_022328E1 NtWriteVirtualMemory,	17_2_022328E1
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232949 NtWriteVirtualMemory,	17_2_02232949
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 26_2_00566A72 NtProtectVirtualMemory,	26_2_00566A72

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Code function: 17_2_0040A0CB

17_2_0040A0CB

PE file contains strange resources

Source: march%20OG[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: march OG.exe.0mzlwub.partial.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: classification engine

Classification label: mal100.troj.evad.win@7/9@1/2

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF9FFFDC171AAF0B67.TMP

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3476 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe'
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3476 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe'	Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: Process Memory Space: march OG.exe PID: 3652, type: MEMORY
Source: Yara match	File source: Process Memory Space: march OG.exe PID: 6092, type: MEMORY

Yara detected VB6 Downloader Generic

Source: Yara match	File source: Process Memory Space: march OG.exe PID: 3652, type: MEMORY
Source: Yara match	File source: Process Memory Space: march OG.exe PID: 6092, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_0040A0CB pushfd ; retn 2B2Fh	17_2_0040A0CA
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_004070BF push esi; retf	17_2_004070C0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_00403B43 push cs; retf	17_2_00403B91
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_00409B29 push eax; retf	17_2_00409B34
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_00403B94 push cs; retf	17_2_00403B91

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe.0mzlwub.partial			Jump to dropped file
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\march%20OG[1].exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232721 NtWriteVirtualMemory,		17_2_02232721
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02231AB7 NtWriteVirtualMemory,		17_2_02231AB7

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002235A4C second address: 00000000022359D3 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F6750BF8268h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test dx, A4B7h 0x00000022 test bl, FFFFFFE9h 0x00000025 add edi, edx 0x00000027 jmp 00007F6750BF827Eh 0x00000029 pushad 0x0000002a mov edi, 00000097h 0x0000002f rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 00000000022359EC second address: 0000000002235A8B instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp edi, 00E4E1C0h 0x00000010 jnl 00007F6750BF81F2h 0x00000012 test dh, ch 0x00000014 ret 0x00000015 cmp dx, B20Dh 0x0000001a test dh, ah 0x0000001c mov dword ptr [ebp+0000009Ch], 00000000h 0x00000026 test dl, bl 0x00000028 xor edi, edi 0x0000002a cmp dh, dh 0x0000002c cmp bx, ax 0x0000002f mov ecx, 000186A0h 0x00000034 push ecx 0x00000035 jmp 00007F6750BF827Ah 0x00000037 cmp eax, eax 0x00000039 call 00007F6750BF82F7h 0x0000003e call 00007F6750BF83C4h 0x00000043 lfence 0x00000046 rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 000000000223328E second address: 000000000223328E instructions:
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002230785 second address: 0000000002230785 instructions:
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002234DF4 second address: 0000000002232E33 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pop eax 0x0000000b jmp 00007F6750CA9E6Eh 0x0000000d cmp ah, ah 0x0000000f retn 0008h 0x00000012 test bh, ch 0x00000014 cmp ax, 00004630h 0x00000018 cmp cx, bx 0x0000001b cmp dword ptr [ebp+48h], 00000000h 0x0000001f jne 00007F6750CA9E98h 0x00000021 pushad 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002232E33 second address: 0000000002232E33 instructions:
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002232A55 second address: 0000000002232A55 instructions:

Tries to detect Any.run

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: march OG.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002235A4C second address: 00000000022359D3 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F6750BF8268h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test dx, A4B7h 0x00000022 test bl, FFFFFFE9h 0x00000025 add edi, edx 0x00000027 jmp 00007F6750BF827Eh 0x00000029 pushad 0x0000002a mov edi, 00000097h 0x0000002f rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 00000000022359D3 second address: 00000000022359D3 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 dec dword ptr [ebp+000000F8h] 0x00000009 nop 0x0000000a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000011 jne 00007F6750BC977Ch 0x00000013 call 00007F6750BC9864h 0x00000018 call 00007F6750BC97D8h 0x0000001d lfence 0x00000020 mov edx, dword ptr [7FFE0014h] 0x00000026 lfence 0x00000029 ret 0x0000002a mov esi, edx 0x0000002c pushad 0x0000002d nop 0x0000002e nop 0x0000002f xor eax, eax 0x00000031 inc eax 0x00000032 nop 0x00000033 nop 0x00000034 popad 0x00000035 mov edx, 00000001h 0x0000003a nop 0x0000003b nop 0x0000003c ret 0x0000003d test dx, A4B7h 0x00000042 test bl, FFFFFFE9h 0x00000045 add edi, edx 0x00000047 jmp 00007F6750BC97DEh 0x00000049 pushad 0x0000004a mov edi, 00000097h 0x0000004f rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 00000000022359EC second address: 0000000002235A8B instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp edi, 00E4E1C0h 0x00000010 jnl 00007F6750BF81F2h 0x00000012 test dh, ch 0x00000014 ret 0x00000015 cmp dx, B20Dh 0x0000001a test dh, ah 0x0000001c mov dword ptr [ebp+0000009Ch], 00000000h 0x00000026 test dl, bl 0x00000028 xor edi, edi 0x0000002a cmp dh, dh 0x0000002c cmp bx, ax 0x0000002f mov ecx, 000186A0h 0x00000034 push ecx 0x00000035 jmp 00007F6750BF827Ah 0x00000037 cmp eax, eax 0x00000039 call 00007F6750BF82F7h 0x0000003e call 00007F6750BF83C4h 0x00000043 lfence 0x00000046 rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002235A8B second address: 0000000002235A8B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F6750BC9D4Dh 0x0000001d popad 0x0000001e call 00007F6750BC990Ch 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 000000000223328E second address: 000000000223328E instructions:
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002230785 second address: 0000000002230785 instructions:
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 000000000223099C second address: 00000000022309B8 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp eax, 555E1691h 0x00000010 je 00007F6750BFD776h 0x00000016 pushad 0x00000017 mov eax, 0000006Fh 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002230B7B second address: 0000000002230B8E instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push 00000030h 0x0000000d pushad 0x0000000e mov eax, 0000003Ch 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002234DF4 second address: 0000000002232E33 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pop eax 0x0000000b jmp 00007F6750CA9E6Eh 0x0000000d cmp ah, ah 0x0000000f retn 0008h 0x00000012 test bh, ch 0x00000014 cmp ax, 00004630h 0x00000018 cmp cx, bx 0x0000001b cmp dword ptr [ebp+48h], 00000000h 0x0000001f jne 00007F6750CA9E98h 0x00000021 pushad 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002232E33 second address: 0000000002232E33 instructions:
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002232A55 second address: 0000000002232A55 instructions:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Code function: 17_2_02232721 rdtsc

Source: march OG.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Contains functionality to hide a thread from the debugger

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Code function: 17_2_0223057F NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,02235021,00000000,00000079

17_2_0223057F

Hides threads from debuggers

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Thread information set: HideFromDebugger

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Code function: 17_2_02232721 rdtsc

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Code function: 17_2_022335C8 LdrInitializeThunk,

17_2_022335C8

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232230 mov eax, dword ptr fs:[00000030h]	17_2_02232230
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232254 mov eax, dword ptr fs:[00000030h]	17_2_02232254
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02231AB7 mov eax, dword ptr fs:[00000030h]	17_2_02231AB7
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232ED0 mov eax, dword ptr fs:[00000030h]	17_2_02232ED0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_0223574D mov eax, dword ptr fs:[00000030h]	17_2_0223574D
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02236071 mov eax, dword ptr fs:[00000030h]	17_2_02236071
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_022360FB mov eax, dword ptr fs:[00000030h]	17_2_022360FB
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_022360DD mov eax, dword ptr fs:[00000030h]	17_2_022360DD
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_022351D5 mov eax, dword ptr fs:[00000030h]	17_2_022351D5
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 26_2_00566071 mov eax, dword ptr fs:[00000030h]	26_2_00566071
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 26_2_005660DD mov eax, dword ptr fs:[00000030h]	26_2_005660DD
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 26_2_00561CDA mov eax, dword ptr fs:[00000030h]	26_2_00561CDA
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 26_2_005660FB mov eax, dword ptr fs:[00000030h]	26_2_005660FB
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 26_2_005651D5 mov eax, dword ptr fs:[00000030h]	26_2_005651D5
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 26_2_00562254 mov eax, dword ptr fs:[00000030h]	26_2_00562254
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 26_2_00562230 mov eax, dword ptr fs:[00000030h]	26_2_00562230
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 26_2_00562ED0 mov eax, dword ptr fs:[00000030h]	26_2_00562ED0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 26_2_0056574D mov eax, dword ptr fs:[00000030h]	26_2_0056574D

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe'

Source: march OG.exe, 0000001A.00000002.468433617.0000000000FF0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: march OG.exe, 0000001A.00000002.468433617.0000000000FF0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: march OG.exe, 0000001A.00000002.468433617.0000000000FF0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: march OG.exe, 0000001A.00000002.468433617.0000000000FF0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Code function: 17_2_02233D0A cpuid

17_2_02233D0A

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
46.183.222.6	covid19vaccine.hopto.org	Latvia		52048	DATACLUBLV	true

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
covid19vaccine.hopto.org	46.183.222.6	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://covid19vaccine.hopto.org/march%20OG.exe	true		unknown
0	true	1%, Virustotal, Browse	low

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: http://covid19vaccine.hopto.org/march%20OG.exe

Avira URL Cloud: detection malicious, Label: malware

Multi AV Scanner detection for domain / URL

Source: covid19vaccine.hopto.org

Virustotal: Detection: 13%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe.0mzlwub.partial	Virustotal: Detection: 76%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe.0mzlwub.partial	Metadefender: Detection: 24%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe.0mzlwub.partial	ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\march%20OG[1].exe	Metadefender: Detection: 24%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\march%20OG[1].exe	ReversingLabs: Detection: 82%

Multi AV Scanner detection for submitted file

Source: http://covid19vaccine.hopto.org/march%20OG.exe

Virustotal: Detection: 17%

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Software Vulnerabilities:

Potential browser exploit detected (process start blacklist hit)

Source: C:\Program Files\internet explorer\iexplore.exe

Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Networking:

Downloads executable code via HTTP

Source: global traffic

Source: unknown

DNS traffic detected: queries for: covid19vaccine.hopto.org

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: march OG.exe, 00000011.00000002.450348913.000000000072A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232721 NtWriteVirtualMemory,	17_2_02232721
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_0223057F EnumWindows,NtSetInformationThread,	17_2_0223057F
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_022365EB NtProtectVirtualMemory,	17_2_022365EB
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_0223063C NtSetInformationThread,	17_2_0223063C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232A70 NtWriteVirtualMemory,	17_2_02232A70
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02231AB7 NtWriteVirtualMemory,	17_2_02231AB7
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_0223068C NtSetInformationThread,	17_2_0223068C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_022306E7 NtSetInformationThread,	17_2_022306E7
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232739 NtWriteVirtualMemory,	17_2_02232739
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232B04 NtWriteVirtualMemory,	17_2_02232B04
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232B53 NtWriteVirtualMemory,	17_2_02232B53
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_022327A1 NtWriteVirtualMemory,	17_2_022327A1
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232BAB NtWriteVirtualMemory,	17_2_02232BAB
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02235FF4 NtWriteVirtualMemory,	17_2_02235FF4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_022327DF NtWriteVirtualMemory,	17_2_022327DF
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232843 NtWriteVirtualMemory,	17_2_02232843
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_022328E1 NtWriteVirtualMemory,	17_2_022328E1
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232949 NtWriteVirtualMemory,	17_2_02232949
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 26_2_00566A72 NtProtectVirtualMemory,	26_2_00566A72

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Code function: 17_2_0040A0CB

17_2_0040A0CB

PE file contains strange resources

Source: march%20OG[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: march OG.exe.0mzlwub.partial.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: classification engine

Classification label: mal100.troj.evad.win@7/9@1/2

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF9FFFDC171AAF0B67.TMP

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3476 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe'
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3476 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe'	Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: Process Memory Space: march OG.exe PID: 3652, type: MEMORY
Source: Yara match	File source: Process Memory Space: march OG.exe PID: 6092, type: MEMORY

Yara detected VB6 Downloader Generic

Source: Yara match	File source: Process Memory Space: march OG.exe PID: 3652, type: MEMORY
Source: Yara match	File source: Process Memory Space: march OG.exe PID: 6092, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_0040A0CB pushfd ; retn 2B2Fh	17_2_0040A0CA
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_004070BF push esi; retf	17_2_004070C0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_00403B43 push cs; retf	17_2_00403B91
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_00409B29 push eax; retf	17_2_00409B34
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_00403B94 push cs; retf	17_2_00403B91

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe.0mzlwub.partial			Jump to dropped file
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\march%20OG[1].exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232721 NtWriteVirtualMemory,		17_2_02232721
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02231AB7 NtWriteVirtualMemory,		17_2_02231AB7

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002235A4C second address: 00000000022359D3 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F6750BF8268h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test dx, A4B7h 0x00000022 test bl, FFFFFFE9h 0x00000025 add edi, edx 0x00000027 jmp 00007F6750BF827Eh 0x00000029 pushad 0x0000002a mov edi, 00000097h 0x0000002f rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 00000000022359EC second address: 0000000002235A8B instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp edi, 00E4E1C0h 0x00000010 jnl 00007F6750BF81F2h 0x00000012 test dh, ch 0x00000014 ret 0x00000015 cmp dx, B20Dh 0x0000001a test dh, ah 0x0000001c mov dword ptr [ebp+0000009Ch], 00000000h 0x00000026 test dl, bl 0x00000028 xor edi, edi 0x0000002a cmp dh, dh 0x0000002c cmp bx, ax 0x0000002f mov ecx, 000186A0h 0x00000034 push ecx 0x00000035 jmp 00007F6750BF827Ah 0x00000037 cmp eax, eax 0x00000039 call 00007F6750BF82F7h 0x0000003e call 00007F6750BF83C4h 0x00000043 lfence 0x00000046 rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 000000000223328E second address: 000000000223328E instructions:
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002230785 second address: 0000000002230785 instructions:
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002234DF4 second address: 0000000002232E33 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pop eax 0x0000000b jmp 00007F6750CA9E6Eh 0x0000000d cmp ah, ah 0x0000000f retn 0008h 0x00000012 test bh, ch 0x00000014 cmp ax, 00004630h 0x00000018 cmp cx, bx 0x0000001b cmp dword ptr [ebp+48h], 00000000h 0x0000001f jne 00007F6750CA9E98h 0x00000021 pushad 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002232E33 second address: 0000000002232E33 instructions:
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002232A55 second address: 0000000002232A55 instructions:

Tries to detect Any.run

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: march OG.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002235A4C second address: 00000000022359D3 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F6750BF8268h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test dx, A4B7h 0x00000022 test bl, FFFFFFE9h 0x00000025 add edi, edx 0x00000027 jmp 00007F6750BF827Eh 0x00000029 pushad 0x0000002a mov edi, 00000097h 0x0000002f rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 00000000022359D3 second address: 00000000022359D3 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 dec dword ptr [ebp+000000F8h] 0x00000009 nop 0x0000000a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000011 jne 00007F6750BC977Ch 0x00000013 call 00007F6750BC9864h 0x00000018 call 00007F6750BC97D8h 0x0000001d lfence 0x00000020 mov edx, dword ptr [7FFE0014h] 0x00000026 lfence 0x00000029 ret 0x0000002a mov esi, edx 0x0000002c pushad 0x0000002d nop 0x0000002e nop 0x0000002f xor eax, eax 0x00000031 inc eax 0x00000032 nop 0x00000033 nop 0x00000034 popad 0x00000035 mov edx, 00000001h 0x0000003a nop 0x0000003b nop 0x0000003c ret 0x0000003d test dx, A4B7h 0x00000042 test bl, FFFFFFE9h 0x00000045 add edi, edx 0x00000047 jmp 00007F6750BC97DEh 0x00000049 pushad 0x0000004a mov edi, 00000097h 0x0000004f rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 00000000022359EC second address: 0000000002235A8B instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp edi, 00E4E1C0h 0x00000010 jnl 00007F6750BF81F2h 0x00000012 test dh, ch 0x00000014 ret 0x00000015 cmp dx, B20Dh 0x0000001a test dh, ah 0x0000001c mov dword ptr [ebp+0000009Ch], 00000000h 0x00000026 test dl, bl 0x00000028 xor edi, edi 0x0000002a cmp dh, dh 0x0000002c cmp bx, ax 0x0000002f mov ecx, 000186A0h 0x00000034 push ecx 0x00000035 jmp 00007F6750BF827Ah 0x00000037 cmp eax, eax 0x00000039 call 00007F6750BF82F7h 0x0000003e call 00007F6750BF83C4h 0x00000043 lfence 0x00000046 rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002235A8B second address: 0000000002235A8B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F6750BC9D4Dh 0x0000001d popad 0x0000001e call 00007F6750BC990Ch 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 000000000223328E second address: 000000000223328E instructions:
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002230785 second address: 0000000002230785 instructions:
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 000000000223099C second address: 00000000022309B8 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp eax, 555E1691h 0x00000010 je 00007F6750BFD776h 0x00000016 pushad 0x00000017 mov eax, 0000006Fh 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002230B7B second address: 0000000002230B8E instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push 00000030h 0x0000000d pushad 0x0000000e mov eax, 0000003Ch 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002234DF4 second address: 0000000002232E33 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pop eax 0x0000000b jmp 00007F6750CA9E6Eh 0x0000000d cmp ah, ah 0x0000000f retn 0008h 0x00000012 test bh, ch 0x00000014 cmp ax, 00004630h 0x00000018 cmp cx, bx 0x0000001b cmp dword ptr [ebp+48h], 00000000h 0x0000001f jne 00007F6750CA9E98h 0x00000021 pushad 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002232E33 second address: 0000000002232E33 instructions:
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002232A55 second address: 0000000002232A55 instructions:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Code function: 17_2_02232721 rdtsc

Source: march OG.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Contains functionality to hide a thread from the debugger

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Code function: 17_2_0223057F NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,02235021,00000000,00000079

17_2_0223057F

Hides threads from debuggers

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Thread information set: HideFromDebugger

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Code function: 17_2_02232721 rdtsc

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Code function: 17_2_022335C8 LdrInitializeThunk,

17_2_022335C8

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232230 mov eax, dword ptr fs:[00000030h]	17_2_02232230
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232254 mov eax, dword ptr fs:[00000030h]	17_2_02232254
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02231AB7 mov eax, dword ptr fs:[00000030h]	17_2_02231AB7
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232ED0 mov eax, dword ptr fs:[00000030h]	17_2_02232ED0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_0223574D mov eax, dword ptr fs:[00000030h]	17_2_0223574D
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02236071 mov eax, dword ptr fs:[00000030h]	17_2_02236071
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_022360FB mov eax, dword ptr fs:[00000030h]	17_2_022360FB
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_022360DD mov eax, dword ptr fs:[00000030h]	17_2_022360DD
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_022351D5 mov eax, dword ptr fs:[00000030h]	17_2_022351D5
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 26_2_00566071 mov eax, dword ptr fs:[00000030h]	26_2_00566071
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 26_2_005660DD mov eax, dword ptr fs:[00000030h]	26_2_005660DD
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 26_2_00561CDA mov eax, dword ptr fs:[00000030h]	26_2_00561CDA
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 26_2_005660FB mov eax, dword ptr fs:[00000030h]	26_2_005660FB
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 26_2_005651D5 mov eax, dword ptr fs:[00000030h]	26_2_005651D5
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 26_2_00562254 mov eax, dword ptr fs:[00000030h]	26_2_00562254
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 26_2_00562230 mov eax, dword ptr fs:[00000030h]	26_2_00562230
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 26_2_00562ED0 mov eax, dword ptr fs:[00000030h]	26_2_00562ED0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 26_2_0056574D mov eax, dword ptr fs:[00000030h]	26_2_0056574D

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe'