Analysis Report Orden de Compra.exe

Overview

General Information

Sample Name:	Orden de Compra.exe
Analysis ID:	383316
MD5:	e6dcf6b66b611ffb7d2bc1a8045bf41f
SHA1:	7b3871b1b077f764175c6d387e846372128a89ee
SHA256:	280e118484090c0a9788dcad52f37995822757f44d230c9ff042c3507d8e20a3
Infos:
Most interesting Screenshot:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Detected potential crypto function

Found large amount of non-executed APIs

PE file contains an invalid checksum

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: Orden de Compra.exe	Virustotal: Detection: 48%			Perma Link
Source: Orden de Compra.exe	ReversingLabs: Detection: 10%

Machine Learning detection for sample

Source: Orden de Compra.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: Orden de Compra.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\Orden de Compra.exe

Process Stats: CPU usage > 98%

Detected potential crypto function

Source: C:\Users\user\Desktop\Orden de Compra.exe	Code function: 1_2_00408F7E	1_2_00408F7E
Source: C:\Users\user\Desktop\Orden de Compra.exe	Code function: 1_2_0040904E	1_2_0040904E
Source: C:\Users\user\Desktop\Orden de Compra.exe	Code function: 1_2_0040942F	1_2_0040942F
Source: C:\Users\user\Desktop\Orden de Compra.exe	Code function: 1_2_004090D1	1_2_004090D1
Source: C:\Users\user\Desktop\Orden de Compra.exe	Code function: 1_2_00409158	1_2_00409158
Source: C:\Users\user\Desktop\Orden de Compra.exe	Code function: 1_2_0040D5E2	1_2_0040D5E2
Source: C:\Users\user\Desktop\Orden de Compra.exe	Code function: 1_2_004095E7	1_2_004095E7
Source: C:\Users\user\Desktop\Orden de Compra.exe	Code function: 1_2_0040959E	1_2_0040959E
Source: C:\Users\user\Desktop\Orden de Compra.exe	Code function: 1_2_00409672	1_2_00409672
Source: C:\Users\user\Desktop\Orden de Compra.exe	Code function: 1_2_004092D3	1_2_004092D3
Source: C:\Users\user\Desktop\Orden de Compra.exe	Code function: 1_2_004096FD	1_2_004096FD
Source: C:\Users\user\Desktop\Orden de Compra.exe	Code function: 1_2_0040931B	1_2_0040931B
Source: C:\Users\user\Desktop\Orden de Compra.exe	Code function: 1_2_00409796	1_2_00409796
Source: C:\Users\user\Desktop\Orden de Compra.exe	Code function: 1_2_004093A0	1_2_004093A0
Source: C:\Users\user\Desktop\Orden de Compra.exe	Code function: 1_2_00408FBB	1_2_00408FBB

PE file contains strange resources

Source: Orden de Compra.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Orden de Compra.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: Orden de Compra.exe, 00000001.00000002.1048423132.0000000002260000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Orden de Compra.exe
Source: Orden de Compra.exe, 00000001.00000000.649686134.0000000000416000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameGulvhoejde9.exe vs Orden de Compra.exe
Source: Orden de Compra.exe	Binary or memory string: OriginalFilenameGulvhoejde9.exe vs Orden de Compra.exe

Uses 32bit PE files

Source: Orden de Compra.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal64.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\Orden de Compra.exe

File created: C:\Users\user\AppData\Local\Temp\~DF03F3B1BA238AA763.TMP

Jump to behavior

Source: Orden de Compra.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Orden de Compra.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Orden de Compra.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Orden de Compra.exe	Virustotal: Detection: 48%
Source: Orden de Compra.exe	ReversingLabs: Detection: 10%

Data Obfuscation:

PE file contains an invalid checksum

Source: Orden de Compra.exe

Static PE information: real checksum: 0x267f4 should be: 0x2673a

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Orden de Compra.exe	Code function: 1_2_00402027 push ss; ret	1_2_0040204C
Source: C:\Users\user\Desktop\Orden de Compra.exe	Code function: 1_2_00404569 push FFFFFFCDh; ret	1_2_004046DC
Source: C:\Users\user\Desktop\Orden de Compra.exe	Code function: 1_2_0040753C push ebx; ret	1_2_0040753E
Source: C:\Users\user\Desktop\Orden de Compra.exe	Code function: 1_2_0040D5E2 pushfd ; iretd	1_2_0040D812
Source: C:\Users\user\Desktop\Orden de Compra.exe	Code function: 1_2_00404671 push FFFFFFCDh; ret	1_2_004046DC
Source: C:\Users\user\Desktop\Orden de Compra.exe	Code function: 1_2_0040BA18 push 7600FFCEh; iretd	1_2_0040BA1D
Source: C:\Users\user\Desktop\Orden de Compra.exe	Code function: 1_2_0040DAC0 push ss; ret	1_2_0040DAC7
Source: C:\Users\user\Desktop\Orden de Compra.exe	Code function: 1_2_00407AF1 push FFFFFF85h; ret	1_2_00407AF3

Source: C:\Users\user\Desktop\Orden de Compra.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\Orden de Compra.exe	RDTSC instruction interceptor: First address: 0000000000465B81 second address: 0000000000465B81 instructions:
Source: C:\Users\user\Desktop\Orden de Compra.exe	RDTSC instruction interceptor: First address: 0000000000463395 second address: 0000000000463395 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F2E6436BD88h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cld 0x0000001e pop ecx 0x0000001f add edi, edx 0x00000021 jmp 00007F2E6436BD9Ah 0x00000023 cmp bx, dx 0x00000026 dec ecx 0x00000027 cmp ecx, 00000000h 0x0000002a jne 00007F2E6436BD50h 0x0000002c test al, cl 0x0000002e push ecx 0x0000002f test bl, FFFFFFB4h 0x00000032 call 00007F2E6436BDDDh 0x00000037 call 00007F2E6436BD98h 0x0000003c lfence 0x0000003f mov edx, dword ptr [7FFE0014h] 0x00000045 lfence 0x00000048 ret 0x00000049 mov esi, edx 0x0000004b pushad 0x0000004c rdtsc
Source: C:\Users\user\Desktop\Orden de Compra.exe	RDTSC instruction interceptor: First address: 0000000000463468 second address: 00000000004635BF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test ch, dh 0x0000000c xor edi, edi 0x0000000e cmp cl, cl 0x00000010 cld 0x00000011 mov ecx, 000186A0h 0x00000016 push ecx 0x00000017 jmp 00007F2E6436BD9Ah 0x00000019 cmp bx, 495Bh 0x0000001e cmp eax, eax 0x00000020 call 00007F2E6436BE16h 0x00000025 call 00007F2E6436BE06h 0x0000002a lfence 0x0000002d rdtsc

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Orden de Compra.exe	RDTSC instruction interceptor: First address: 000000000046054A second address: 0000000000465F85 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push 2D9CC76Ch 0x00000010 test dl, dl 0x00000012 test bl, cl 0x00000014 test eax, eax 0x00000016 call 00007F2E64371D9Bh 0x0000001b cmp edi, 0DCBE3ACh 0x00000021 cmp ecx, edx 0x00000023 cmp edx, edx 0x00000025 jmp 00007F2E6436C3BAh 0x00000027 pushad 0x00000028 mov ebx, 000000C5h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\Orden de Compra.exe	RDTSC instruction interceptor: First address: 0000000000465B81 second address: 0000000000465B81 instructions:
Source: C:\Users\user\Desktop\Orden de Compra.exe	RDTSC instruction interceptor: First address: 0000000000463395 second address: 0000000000463395 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F2E6436BD88h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cld 0x0000001e pop ecx 0x0000001f add edi, edx 0x00000021 jmp 00007F2E6436BD9Ah 0x00000023 cmp bx, dx 0x00000026 dec ecx 0x00000027 cmp ecx, 00000000h 0x0000002a jne 00007F2E6436BD50h 0x0000002c test al, cl 0x0000002e push ecx 0x0000002f test bl, FFFFFFB4h 0x00000032 call 00007F2E6436BDDDh 0x00000037 call 00007F2E6436BD98h 0x0000003c lfence 0x0000003f mov edx, dword ptr [7FFE0014h] 0x00000045 lfence 0x00000048 ret 0x00000049 mov esi, edx 0x0000004b pushad 0x0000004c rdtsc
Source: C:\Users\user\Desktop\Orden de Compra.exe	RDTSC instruction interceptor: First address: 0000000000463437 second address: 0000000000463468 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 jmp 00007F2E6439AACAh 0x00000005 test cx, dx 0x00000008 mov dword ptr [ebp+0000009Ch], 00000000h 0x00000012 test esi, 206C76DAh 0x00000018 pushad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Orden de Compra.exe	RDTSC instruction interceptor: First address: 0000000000463468 second address: 00000000004635BF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test ch, dh 0x0000000c xor edi, edi 0x0000000e cmp cl, cl 0x00000010 cld 0x00000011 mov ecx, 000186A0h 0x00000016 push ecx 0x00000017 jmp 00007F2E6436BD9Ah 0x00000019 cmp bx, 495Bh 0x0000001e cmp eax, eax 0x00000020 call 00007F2E6436BE16h 0x00000025 call 00007F2E6436BE06h 0x0000002a lfence 0x0000002d rdtsc
Source: C:\Users\user\Desktop\Orden de Compra.exe	RDTSC instruction interceptor: First address: 00000000004635BF second address: 00000000004635BF instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F2E6439D736h 0x0000001d popad 0x0000001e jmp 00007F2E6439AACAh 0x00000020 cmp bx, ax 0x00000023 call 00007F2E6439AB01h 0x00000028 lfence 0x0000002b rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Orden de Compra.exe

Code function: 1_2_00408F7E rdtsc

1_2_00408F7E

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\Orden de Compra.exe

API coverage: 9.3 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\Orden de Compra.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Orden de Compra.exe

Code function: 1_2_00408F7E rdtsc

1_2_00408F7E

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: Orden de Compra.exe, 00000001.00000002.1048376638.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Orden de Compra.exe, 00000001.00000002.1048376638.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Orden de Compra.exe, 00000001.00000002.1048376638.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Orden de Compra.exe, 00000001.00000002.1048376638.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	383316
Product:	CloudBasic
Start time:	16:23:43
Start date:	07.04.2021
Sample:	Orden de Compra.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	e6dcf6b66b611ffb7d2bc1a8045bf41f
SHA1:	7b3871b1b077f764175c6d387e846372128a89ee
SHA256:	280e118484090c0a9788dcad52f37995822757f44d230c9ff042c3507d8e20a3
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Analysis Report Orden de Compra.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map