Source: New Order.exe |
Virustotal: Detection: 21% |
Perma Link |
Source: New Order.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: New Order.exe, 00000000.00000002.727335573.000000000073A000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: initial sample |
Static PE information: Filename: New Order.exe |
Source: C:\Users\user\Desktop\New Order.exe |
Process Stats: CPU usage > 98% |
Source: New Order.exe, 00000000.00000000.202449906.000000000041D000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameEkstremumspunktet6.exe vs New Order.exe |
Source: New Order.exe |
Binary or memory string: OriginalFilenameEkstremumspunktet6.exe vs New Order.exe |
Source: New Order.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal76.troj.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\New Order.exe |
File created: C:\Users\user\AppData\Local\Temp\~DFD88C498F435A1F62.TMP |
Jump to behavior |
Source: New Order.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\New Order.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\New Order.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: New Order.exe |
Virustotal: Detection: 21% |
Source: Yara match |
File source: Process Memory Space: New Order.exe PID: 1740, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: New Order.exe PID: 1740, type: MEMORY |
Source: C:\Users\user\Desktop\New Order.exe |
Code function: 0_2_00403207 push ds; retf |
0_2_00403220 |
Source: C:\Users\user\Desktop\New Order.exe |
Code function: 0_2_004018B2 push cs; iretd |
0_2_004018B4 |
Source: C:\Users\user\Desktop\New Order.exe |
Code function: 0_2_00407B46 push es; iretd |
0_2_00407B49 |
Source: C:\Users\user\Desktop\New Order.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\New Order.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: New Order.exe, 00000000.00000002.732452352.0000000003D60000.00000040.00000001.sdmp |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: C:\Users\user\Desktop\New Order.exe |
RDTSC instruction interceptor: First address: 0000000003D60C39 second address: 0000000003D65855 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 call 00007F117CA7744Eh 0x00000008 jmp 00007F117CA7267Ah 0x0000000a pushad 0x0000000b mov cx, FD56h 0x0000000f cmp cx, FD56h 0x00000014 jne 00007F117CA6DAB6h 0x0000001a popad 0x0000001b test ax, cx 0x0000001e call 00007F117CA72391h 0x00000023 jmp 00007F117CA72666h 0x00000025 pushad 0x00000026 mov esi, 0000008Ah 0x0000002b rdtsc |
Source: C:\Users\user\Desktop\New Order.exe |
RDTSC instruction interceptor: First address: 0000000003D65855 second address: 0000000003D6592E instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 xor edi, edi 0x00000005 test dx, 5956h 0x0000000a mov ecx, 00A95F60h 0x0000000f test edx, C04EE922h 0x00000015 cmp ebx, edx 0x00000017 cmp dl, dl 0x00000019 push ecx 0x0000001a jmp 00007F117CA648EEh 0x0000001c test dh, FFFFFF95h 0x0000001f call 00007F117CA64926h 0x00000024 call 00007F117CA64908h 0x00000029 lfence 0x0000002c mov edx, dword ptr [7FFE0014h] 0x00000032 lfence 0x00000035 ret 0x00000036 mov esi, edx 0x00000038 pushad 0x00000039 rdtsc |
Source: C:\Users\user\Desktop\New Order.exe |
RDTSC instruction interceptor: First address: 0000000003D6592E second address: 0000000003D6592E instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F117CA72678h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e test bx, dx 0x00000021 test bx, ax 0x00000024 add edi, edx 0x00000026 dec ecx 0x00000027 cmp ecx, 00000000h 0x0000002a jne 00007F117CA725DAh 0x0000002c cmp dl, dl 0x0000002e push ecx 0x0000002f jmp 00007F117CA7266Eh 0x00000031 test dh, FFFFFF95h 0x00000034 call 00007F117CA726A6h 0x00000039 call 00007F117CA72688h 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: New Order.exe, 00000000.00000002.732452352.0000000003D60000.00000040.00000001.sdmp |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\Desktop\New Order.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: New Order.exe, 00000000.00000002.727561904.0000000000CC0000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: New Order.exe, 00000000.00000002.727561904.0000000000CC0000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: New Order.exe, 00000000.00000002.727561904.0000000000CC0000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: New Order.exe, 00000000.00000002.727561904.0000000000CC0000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |