Analysis Report Overworn.exe

Overview

General Information

Sample Name:	Overworn.exe
Analysis ID:	384218
MD5:	5e68ca13c917b9126ad737ac0a570d66
SHA1:	d0fd2b4757b4a0266cd548dd7307eec33ab4f9d3
SHA256:	9b7f6820091a78be8c817c46b864488a35faacb33a21c104953564e974050828
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Creates a DirectInput object (often for capturing keystrokes)

Detected potential crypto function

PE file contains an invalid checksum

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: Overworn.exe

Virustotal: Detection: 46%

Perma Link

Machine Learning detection for sample

Source: Overworn.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: Overworn.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: Overworn.exe, 00000001.00000002.731737595.000000000073A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\Overworn.exe

Process Stats: CPU usage > 98%

Detected potential crypto function

Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00408D2A	1_2_00408D2A
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_004095D4	1_2_004095D4
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00408DE0	1_2_00408DE0
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00408E76	1_2_00408E76
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00408F13	1_2_00408F13
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_0040D3C4	1_2_0040D3C4

PE file contains strange resources

Source: Overworn.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Overworn.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: Overworn.exe, 00000001.00000002.732187896.0000000002270000.00000002.00000001.sdmp

Binary or memory string: OriginalFilenameuser32j% vs Overworn.exe

Uses 32bit PE files

Source: Overworn.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal68.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\Overworn.exe

File created: C:\Users\user\AppData\Local\Temp\~DFEA00A80929BD1817.TMP

Jump to behavior

Source: Overworn.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Overworn.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Overworn.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Overworn.exe

Virustotal: Detection: 46%

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.731517060.00000000004F0000.00000040.00000001.sdmp, type: MEMORY

PE file contains an invalid checksum

Source: Overworn.exe

Static PE information: real checksum: 0x2af75 should be: 0x1db80

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_004013E8 push es; iretd	1_2_004018C0
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00405C43 push es; iretd	1_2_00405C4C
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00404C46 push es; iretd	1_2_00404C60
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00406446 push es; iretd	1_2_00406464
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00405C4F push es; iretd	1_2_00405CB4
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00406853 push es; iretd	1_2_00406854
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_0040387F push es; iretd	1_2_00403880
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00406403 push es; iretd	1_2_00406420
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00406403 push es; iretd	1_2_004064A0
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00402037 push es; iretd	1_2_00402060
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00401438 push es; iretd	1_2_004018C0
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_0040643D push es; iretd	1_2_00406440
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_004018F2 push es; iretd	1_2_004019DC
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00405CF3 push es; iretd	1_2_00405D2C
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00406487 push es; iretd	1_2_004064A0
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_0040288C push es; iretd	1_2_004028B8
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_0040D8A2 push ss; ret	1_2_0040D8A9
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_004078AD push es; iretd	1_2_00407908
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00405CB7 push es; iretd	1_2_00405CF0
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00407543 push es; iretd	1_2_00407554
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00404D4F push es; iretd	1_2_00404EC0
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00407957 push es; iretd	1_2_00407968
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00403966 push es; iretd	1_2_00403968
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00403D6C push es; iretd	1_2_00403D78
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00407171 push es; iretd	1_2_004072C8
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00407171 push es; iretd	1_2_00407320
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00407171 push es; iretd	1_2_004073D8
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00404901 push es; iretd	1_2_00404904
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00402917 push es; iretd	1_2_00402918
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00403DD7 push es; iretd	1_2_00403E64
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_004019DF push es; iretd	1_2_00401ADC

Source: C:\Users\user\Desktop\Overworn.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Overworn.exe

RDTSC instruction interceptor: First address: 00000000004F32A7 second address: 00000000004F32A7 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F9EE48449A5h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp bx, 5F68h 0x00000022 test ebx, ebx 0x00000024 pop ecx 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 jmp 00007F9EE484499Ah 0x0000002a cmp edx, ebx 0x0000002c cmp ecx, 00000000h 0x0000002f jne 00007F9EE4844942h 0x00000031 test ebx, 24644987h 0x00000037 test bh, ch 0x00000039 push ecx 0x0000003a cmp ecx, BD743742h 0x00000040 call 00007F9EE48449E9h 0x00000045 call 00007F9EE48449B5h 0x0000004a lfence 0x0000004d mov edx, dword ptr [7FFE0014h] 0x00000053 lfence 0x00000056 ret 0x00000057 mov esi, edx 0x00000059 pushad 0x0000005a rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Overworn.exe

Code function: 1_2_004030B7 rdtsc

1_2_004030B7

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\Overworn.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Overworn.exe

Code function: 1_2_004030B7 rdtsc

1_2_004030B7

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: Overworn.exe, 00000001.00000002.731802449.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Overworn.exe, 00000001.00000002.731802449.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Overworn.exe, 00000001.00000002.731802449.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Overworn.exe, 00000001.00000002.731802449.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	384218
Product:	CloudBasic
Start time:	18:49:52
Start date:	08.04.2021
Sample:	Overworn.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	5e68ca13c917b9126ad737ac0a570d66
SHA1:	d0fd2b4757b4a0266cd548dd7307eec33ab4f9d3
SHA256:	9b7f6820091a78be8c817c46b864488a35faacb33a21c104953564e974050828
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Analysis Report Overworn.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map