Source: factura.exe |
Metadefender: Detection: 27% |
Perma Link |
Source: factura.exe |
ReversingLabs: Detection: 45% |
Source: factura.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 27_2_00D036A8 InternetReadFile, |
27_2_00D036A8 |
Source: RegAsm.exe, 0000001B.00000002.747456441.0000000000CFA000.00000004.00000001.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EK |
Source: initial sample |
Icon embedded in PE file: bad icon match: 20047c7c70f0e004 |
Source: C:\Users\user\Desktop\factura.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\factura.exe |
Code function: 1_2_0040169C |
1_2_0040169C |
Source: factura.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: factura.exe, 00000001.00000002.649560165.00000000021D0000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs factura.exe |
Source: factura.exe, 00000001.00000002.649247945.000000000040E000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenamekvalifikationen.exe vs factura.exe |
Source: factura.exe, 00000001.00000002.650059978.0000000002A50000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenamekvalifikationen.exeFE2XCollutionsCollutions vs factura.exe |
Source: factura.exe, 00000001.00000002.650059978.0000000002A50000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenamekvalifikationen.exeFE2XCollutions5>@ vs factura.exe |
Source: factura.exe, 00000001.00000002.650059978.0000000002A50000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenamekvalifikationen.exeFE2XCollutionsd?3 vs factura.exe |
Source: factura.exe, 00000001.00000002.650059978.0000000002A50000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenamekvalifikationen.exeFE2XCollutionsW8 vs factura.exe |
Source: factura.exe, 00000001.00000002.650059978.0000000002A50000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenamekvalifikationen.exeFE2XCollutions vs factura.exe |
Source: factura.exe, 00000001.00000002.650059978.0000000002A50000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenamekvalifikationen.exeFE2XCollutions(: vs factura.exe |
Source: factura.exe, 00000001.00000002.650059978.0000000002A50000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenamekvalifikationen.exeFE2XCollutionsJ$ vs factura.exe |
Source: factura.exe |
Binary or memory string: OriginalFilenamekvalifikationen.exe vs factura.exe |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: factura.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal76.rans.evad.winEXE@4/0@0/0 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:68:120:WilError_01 |
Source: factura.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\factura.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\factura.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: factura.exe |
Metadefender: Detection: 27% |
Source: factura.exe |
ReversingLabs: Detection: 45% |
Source: unknown |
Process created: C:\Users\user\Desktop\factura.exe 'C:\Users\user\Desktop\factura.exe' |
Source: C:\Users\user\Desktop\factura.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\factura.exe' |
Source: C:\Users\user\Desktop\factura.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\factura.exe' |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: C:\Users\user\Desktop\factura.exe |
Code function: 1_2_00403542 push ebx; ret |
1_2_00403557 |
Source: C:\Users\user\Desktop\factura.exe |
Code function: 1_2_0040657D push FFFFFFC2h; iretd |
1_2_004065A9 |
Source: C:\Users\user\Desktop\factura.exe |
Code function: 1_2_004065AB push FFFFFFC2h; iretd |
1_2_004065A9 |
Source: C:\Users\user\Desktop\factura.exe |
Code function: 1_2_00403E6A pushad ; ret |
1_2_00403E6B |
Source: C:\Users\user\Desktop\factura.exe |
Code function: 1_2_00401E38 push esp; retf 0040h |
1_2_00401E39 |
Source: C:\Users\user\Desktop\factura.exe |
Code function: 1_2_00403ED0 push esp; retf |
1_2_00403EDA |
Source: C:\Users\user\Desktop\factura.exe |
Code function: 1_2_00403E90 push esp; retf |
1_2_00403EDA |
Source: C:\Users\user\Desktop\factura.exe |
Code function: 1_2_00403F18 push esp; retf |
1_2_00403EDA |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 27_2_00D01E0F push es; iretd |
27_2_00D01E31 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 27_2_00D0062C push 00000039h; retn 1F0Eh |
27_2_00D008FB |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 27_2_00D02FE2 push cs; iretd |
27_2_00D02FFD |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 27_2_00D01082 push ecx; ret |
27_2_00D01083 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 27_2_00D009B2 push D01F0600h; ret |
27_2_00D009B7 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 27_2_00D030B3 push ebx; ret |
27_2_00D0310B |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 27_2_00D02174 push esp; retf |
27_2_00D02177 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 27_2_00D01266 push ecx; ret |
27_2_00D01267 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 27_2_00D02F00 push ebx; ret |
27_2_00D02F07 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 27_2_00D03032 push ebx; ret |
27_2_00D03037 |
Source: C:\Users\user\Desktop\factura.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\factura.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\factura.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\factura.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\factura.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\factura.exe |
RDTSC instruction interceptor: First address: 0000000000551A41 second address: 0000000000551A41 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FE76CA6A8B8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 dec ecx 0x00000021 cmp ecx, 00000000h 0x00000024 jne 00007FE76CA6A8A1h 0x00000026 cmp ah, dh 0x00000028 push ecx 0x00000029 call 00007FE76CA6A8C9h 0x0000002e call 00007FE76CA6A8C8h 0x00000033 lfence 0x00000036 mov edx, dword ptr [7FFE0014h] 0x0000003c lfence 0x0000003f ret 0x00000040 mov esi, edx 0x00000042 pushad 0x00000043 rdtsc |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\factura.exe |
RDTSC instruction interceptor: First address: 0000000000552C6A second address: 0000000000552C0B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b retn 0004h 0x0000000e cmp edx, dword ptr [esp+04h] 0x00000012 jne 00007FE76CA6A884h 0x00000014 cmp edx, edx 0x00000016 mov eax, dword ptr [eax] 0x00000018 pushad 0x00000019 lfence 0x0000001c rdtsc |
Source: C:\Users\user\Desktop\factura.exe |
RDTSC instruction interceptor: First address: 0000000000552B18 second address: 0000000000552A79 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov esi, dword ptr [ebp+14h] 0x0000000e add esi, dword ptr [ebp+04h] 0x00000011 mov esi, dword ptr [esi+eax*4] 0x00000014 add esi, dword ptr [ebp+04h] 0x00000017 mov dword ptr [ebp+08h], esi 0x0000001a retn 0004h 0x0000001d pushad 0x0000001e lfence 0x00000021 rdtsc |
Source: C:\Users\user\Desktop\factura.exe |
RDTSC instruction interceptor: First address: 0000000000551A41 second address: 0000000000551A41 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FE76CA6A8B8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 dec ecx 0x00000021 cmp ecx, 00000000h 0x00000024 jne 00007FE76CA6A8A1h 0x00000026 cmp ah, dh 0x00000028 push ecx 0x00000029 call 00007FE76CA6A8C9h 0x0000002e call 00007FE76CA6A8C8h 0x00000033 lfence 0x00000036 mov edx, dword ptr [7FFE0014h] 0x0000003c lfence 0x0000003f ret 0x00000040 mov esi, edx 0x00000042 pushad 0x00000043 rdtsc |
Source: C:\Users\user\Desktop\factura.exe |
RDTSC instruction interceptor: First address: 0000000000551B03 second address: 0000000000551B03 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FE76CB8BDFAh 0x0000001d popad 0x0000001e call 00007FE76CB8AB5Bh 0x00000023 lfence 0x00000026 rdtsc |
Source: C:\Users\user\Desktop\factura.exe |
RDTSC instruction interceptor: First address: 0000000000552BA9 second address: 0000000000552BA9 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push dword ptr [eax+ecx] 0x0000000e pop dword ptr [ebx+ecx] 0x00000011 cmp bx, ax 0x00000014 test cx, 1B46h 0x00000019 inc ecx 0x0000001a inc ecx 0x0000001b inc ecx 0x0000001c inc ecx 0x0000001d cmp dl, bl 0x0000001f cmp ecx, 18h 0x00000022 jne 00007FE76CA6A888h 0x00000024 cmp edx, edx 0x00000026 pushad 0x00000027 lfence 0x0000002a rdtsc |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 0000000000D02C6A second address: 0000000000D02C0B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b retn 0004h 0x0000000e cmp edx, dword ptr [esp+04h] 0x00000012 jne 00007FE76CB8AB14h 0x00000014 cmp edx, edx 0x00000016 mov eax, dword ptr [eax] 0x00000018 pushad 0x00000019 lfence 0x0000001c rdtsc |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 0000000000D02B18 second address: 0000000000D02A79 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov esi, dword ptr [ebp+14h] 0x0000000e add esi, dword ptr [ebp+04h] 0x00000011 mov esi, dword ptr [esi+eax*4] 0x00000014 add esi, dword ptr [ebp+04h] 0x00000017 mov dword ptr [ebp+08h], esi 0x0000001a retn 0004h 0x0000001d pushad 0x0000001e lfence 0x00000021 rdtsc |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 0000000000D01B03 second address: 0000000000D01B03 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FE76CB8BDFAh 0x0000001d popad 0x0000001e call 00007FE76CB8AB5Bh 0x00000023 lfence 0x00000026 rdtsc |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 3260 |
Thread sleep time: -3490000s >= -30000s |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process queried: DebugPort |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: RegAsm.exe, 0000001B.00000002.749330639.0000000001600000.00000002.00000001.sdmp |
Binary or memory string: uProgram Manager |
Source: RegAsm.exe, 0000001B.00000002.749330639.0000000001600000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: RegAsm.exe, 0000001B.00000002.749330639.0000000001600000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: RegAsm.exe, 0000001B.00000002.749330639.0000000001600000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |