Analysis Report New Order.exe

ID:	378076
Product:	CloudBasic
Start time:	13:48:10
Start date:	30.03.2021
Sample:	New Order.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	e5faa6783f8abce89a77034a6b0825b1
SHA1:	0cd3d10099f15636939427029e894879506d4308
SHA256:	fa6a95fe5621a4e44287f2a8a732b4b76b7674e3c5cc7abd3fcf0593686306f6
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Name	Type	MD5	SHA1	SHA256

AV Detection:

Multi AV Scanner detection for submitted file

Source: New Order.exe

Virustotal: Detection: 21%

Perma Link

Compliance:

Uses 32bit PE files

Source: New Order.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: New Order.exe, 00000000.00000002.727335573.000000000073A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: New Order.exe

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\New Order.exe

Process Stats: CPU usage > 98%

Sample file is different than original file name gathered from version info

Source: New Order.exe, 00000000.00000000.202449906.000000000041D000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameEkstremumspunktet6.exe vs New Order.exe
Source: New Order.exe	Binary or memory string: OriginalFilenameEkstremumspunktet6.exe vs New Order.exe

Uses 32bit PE files

Source: New Order.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Classification label

Source: classification engine

Classification label: mal76.troj.evad.winEXE@1/0@0/0

Creates temporary files

Source: C:\Users\user\Desktop\New Order.exe

File created: C:\Users\user\AppData\Local\Temp\~DFD88C498F435A1F62.TMP

Jump to behavior

PE file has an executable .text section and no other executable section

Source: New Order.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)

Source: C:\Users\user\Desktop\New Order.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\New Order.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Source: New Order.exe

Virustotal: Detection: 21%

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: Process Memory Space: New Order.exe PID: 1740, type: MEMORY

Yara detected VB6 Downloader Generic

Source: Yara match

File source: Process Memory Space: New Order.exe PID: 1740, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_00403207 push ds; retf		0_2_00403220
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_004018B2 push cs; iretd		0_2_004018B4
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_00407B46 push es; iretd		0_2_00407B49

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: New Order.exe, 00000000.00000002.732452352.0000000003D60000.00000040.00000001.sdmp

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\New Order.exe	RDTSC instruction interceptor: First address: 0000000003D60C39 second address: 0000000003D65855 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 call 00007F117CA7744Eh 0x00000008 jmp 00007F117CA7267Ah 0x0000000a pushad 0x0000000b mov cx, FD56h 0x0000000f cmp cx, FD56h 0x00000014 jne 00007F117CA6DAB6h 0x0000001a popad 0x0000001b test ax, cx 0x0000001e call 00007F117CA72391h 0x00000023 jmp 00007F117CA72666h 0x00000025 pushad 0x00000026 mov esi, 0000008Ah 0x0000002b rdtsc
Source: C:\Users\user\Desktop\New Order.exe	RDTSC instruction interceptor: First address: 0000000003D65855 second address: 0000000003D6592E instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 xor edi, edi 0x00000005 test dx, 5956h 0x0000000a mov ecx, 00A95F60h 0x0000000f test edx, C04EE922h 0x00000015 cmp ebx, edx 0x00000017 cmp dl, dl 0x00000019 push ecx 0x0000001a jmp 00007F117CA648EEh 0x0000001c test dh, FFFFFF95h 0x0000001f call 00007F117CA64926h 0x00000024 call 00007F117CA64908h 0x00000029 lfence 0x0000002c mov edx, dword ptr [7FFE0014h] 0x00000032 lfence 0x00000035 ret 0x00000036 mov esi, edx 0x00000038 pushad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\New Order.exe	RDTSC instruction interceptor: First address: 0000000003D6592E second address: 0000000003D6592E instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F117CA72678h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e test bx, dx 0x00000021 test bx, ax 0x00000024 add edi, edx 0x00000026 dec ecx 0x00000027 cmp ecx, 00000000h 0x0000002a jne 00007F117CA725DAh 0x0000002c cmp dl, dl 0x0000002e push ecx 0x0000002f jmp 00007F117CA7266Eh 0x00000031 test dh, FFFFFF95h 0x00000034 call 00007F117CA726A6h 0x00000039 call 00007F117CA72688h 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: New Order.exe, 00000000.00000002.732452352.0000000003D60000.00000040.00000001.sdmp

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\New Order.exe

Process Stats: CPU usage > 90% for more than 60s

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Source: New Order.exe, 00000000.00000002.727561904.0000000000CC0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: New Order.exe, 00000000.00000002.727561904.0000000000CC0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: New Order.exe, 00000000.00000002.727561904.0000000000CC0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: New Order.exe, 00000000.00000002.727561904.0000000000CC0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock