Source: Overworn.exe |
Virustotal: Detection: 46% |
Perma Link |
Source: Overworn.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Overworn.exe, 00000001.00000002.731737595.000000000073A000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: C:\Users\user\Desktop\Overworn.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_00408D2A |
1_2_00408D2A |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_004095D4 |
1_2_004095D4 |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_00408DE0 |
1_2_00408DE0 |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_00408E76 |
1_2_00408E76 |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_00408F13 |
1_2_00408F13 |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_0040D3C4 |
1_2_0040D3C4 |
Source: Overworn.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: Overworn.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: Overworn.exe, 00000001.00000002.732187896.0000000002270000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs Overworn.exe |
Source: Overworn.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal68.troj.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\Overworn.exe |
File created: C:\Users\user\AppData\Local\Temp\~DFEA00A80929BD1817.TMP |
Jump to behavior |
Source: Overworn.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Overworn.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Overworn.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: Overworn.exe |
Virustotal: Detection: 46% |
Source: Yara match |
File source: 00000001.00000002.731517060.00000000004F0000.00000040.00000001.sdmp, type: MEMORY |
Source: Overworn.exe |
Static PE information: real checksum: 0x2af75 should be: 0x1db80 |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_004013E8 push es; iretd |
1_2_004018C0 |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_00405C43 push es; iretd |
1_2_00405C4C |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_00404C46 push es; iretd |
1_2_00404C60 |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_00406446 push es; iretd |
1_2_00406464 |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_00405C4F push es; iretd |
1_2_00405CB4 |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_00406853 push es; iretd |
1_2_00406854 |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_0040387F push es; iretd |
1_2_00403880 |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_00406403 push es; iretd |
1_2_00406420 |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_00406403 push es; iretd |
1_2_004064A0 |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_00402037 push es; iretd |
1_2_00402060 |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_00401438 push es; iretd |
1_2_004018C0 |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_0040643D push es; iretd |
1_2_00406440 |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_004018F2 push es; iretd |
1_2_004019DC |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_00405CF3 push es; iretd |
1_2_00405D2C |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_00406487 push es; iretd |
1_2_004064A0 |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_0040288C push es; iretd |
1_2_004028B8 |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_0040D8A2 push ss; ret |
1_2_0040D8A9 |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_004078AD push es; iretd |
1_2_00407908 |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_00405CB7 push es; iretd |
1_2_00405CF0 |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_00407543 push es; iretd |
1_2_00407554 |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_00404D4F push es; iretd |
1_2_00404EC0 |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_00407957 push es; iretd |
1_2_00407968 |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_00403966 push es; iretd |
1_2_00403968 |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_00403D6C push es; iretd |
1_2_00403D78 |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_00407171 push es; iretd |
1_2_004072C8 |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_00407171 push es; iretd |
1_2_00407320 |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_00407171 push es; iretd |
1_2_004073D8 |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_00404901 push es; iretd |
1_2_00404904 |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_00402917 push es; iretd |
1_2_00402918 |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_00403DD7 push es; iretd |
1_2_00403E64 |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_004019DF push es; iretd |
1_2_00401ADC |
Source: C:\Users\user\Desktop\Overworn.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Overworn.exe |
RDTSC instruction interceptor: First address: 00000000004F32A7 second address: 00000000004F32A7 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F9EE48449A5h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp bx, 5F68h 0x00000022 test ebx, ebx 0x00000024 pop ecx 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 jmp 00007F9EE484499Ah 0x0000002a cmp edx, ebx 0x0000002c cmp ecx, 00000000h 0x0000002f jne 00007F9EE4844942h 0x00000031 test ebx, 24644987h 0x00000037 test bh, ch 0x00000039 push ecx 0x0000003a cmp ecx, BD743742h 0x00000040 call 00007F9EE48449E9h 0x00000045 call 00007F9EE48449B5h 0x0000004a lfence 0x0000004d mov edx, dword ptr [7FFE0014h] 0x00000053 lfence 0x00000056 ret 0x00000057 mov esi, edx 0x00000059 pushad 0x0000005a rdtsc |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_004030B7 rdtsc |
1_2_004030B7 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Overworn.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\Overworn.exe |
Code function: 1_2_004030B7 rdtsc |
1_2_004030B7 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: Overworn.exe, 00000001.00000002.731802449.0000000000DC0000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: Overworn.exe, 00000001.00000002.731802449.0000000000DC0000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: Overworn.exe, 00000001.00000002.731802449.0000000000DC0000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: Overworn.exe, 00000001.00000002.731802449.0000000000DC0000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |