Analysis Report SWIFT Payment Advise 39 430-25.exe

Overview

General Information

Sample Name: SWIFT Payment Advise 39 430-25.exe
Analysis ID: 385257
MD5: 758028b3f6c428890bf423f4bf61493f
SHA1: f23458e2f4b1ec7b1b626892878fbc8a81bcc8d6
SHA256: 7e2f0e6ba024408d3b889101de8ab48b3592b465e7a33c95c4fbcb5a4c912fb7
Tags: GuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0000000B.00000002.497022856.0000000003232000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1dZX_cFlErs_ZNtLRip3fHBXb5WHo03u0"}
Multi AV Scanner detection for submitted file
Source: SWIFT Payment Advise 39 430-25.exe ReversingLabs: Detection: 27%

Compliance:

barindex
Uses 32bit PE files
Source: SWIFT Payment Advise 39 430-25.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 216.58.215.225:443 -> 192.168.2.7:49708 version: TLS 1.2

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=1dZX_cFlErs_ZNtLRip3fHBXb5WHo03u0
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown DNS traffic detected: queries for: doc-0s-40-docs.googleusercontent.com
Source: ieinstal.exe String found in binary or memory: https://drive.google.com/uc?export=download&id=1dZX_cFlErs_ZNtLRip3fHBXb5WHo03u0
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown HTTPS traffic detected: 216.58.215.225:443 -> 192.168.2.7:49708 version: TLS 1.2

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Executable has a suspicious name (potential lure to open the executable)
Source: SWIFT Payment Advise 39 430-25.exe Static file information: Suspicious name
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: SWIFT Payment Advise 39 430-25.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C10A0B NtWriteVirtualMemory,TerminateProcess, 0_2_02C10A0B
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C17BA6 NtProtectVirtualMemory, 0_2_02C17BA6
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C10B3E NtWriteVirtualMemory,TerminateProcess, 0_2_02C10B3E
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C1073E EnumWindows,NtSetInformationThread,NtWriteVirtualMemory,LoadLibraryA, 0_2_02C1073E
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C1809C NtSetContextThread, 0_2_02C1809C
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C132C3 NtWriteVirtualMemory, 0_2_02C132C3
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C182E6 NtSetContextThread, 0_2_02C182E6
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C13247 NtWriteVirtualMemory, 0_2_02C13247
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C183CF NtSetContextThread, 0_2_02C183CF
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C107ED NtSetInformationThread, 0_2_02C107ED
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C17FF5 NtProtectVirtualMemory, 0_2_02C17FF5
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C133F8 NtWriteVirtualMemory, 0_2_02C133F8
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C18382 NtSetContextThread, 0_2_02C18382
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C12F8C NtWriteVirtualMemory, 0_2_02C12F8C
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C18336 NtSetContextThread, 0_2_02C18336
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C1333F NtWriteVirtualMemory, 0_2_02C1333F
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C108EE NtSetInformationThread, 0_2_02C108EE
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C15CF4 NtSetInformationThread, 0_2_02C15CF4
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C180FD NtSetContextThread, 0_2_02C180FD
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C134AB NtWriteVirtualMemory, 0_2_02C134AB
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C180B3 NtSetContextThread, 0_2_02C180B3
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C18462 NtSetContextThread, 0_2_02C18462
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C1841B NtSetContextThread, 0_2_02C1841B
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C1082A NtSetInformationThread, 0_2_02C1082A
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C13032 NtWriteVirtualMemory, 0_2_02C13032
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C155D5 NtSetInformationThread, 0_2_02C155D5
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C181D6 NtSetContextThread, 0_2_02C181D6
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C185ED NtSetContextThread, 0_2_02C185ED
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C17589 NtSetInformationThread,LoadLibraryA, 0_2_02C17589
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C18195 NtSetContextThread, 0_2_02C18195
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C18544 NtSetContextThread, 0_2_02C18544
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C18151 NtSetContextThread, 0_2_02C18151
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C1315E NtWriteVirtualMemory, 0_2_02C1315E
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C13112 NtWriteVirtualMemory, 0_2_02C13112
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C18521 NtSetContextThread, 0_2_02C18521
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 11_2_03233B4A Sleep,LdrInitializeThunk,NtProtectVirtualMemory, 11_2_03233B4A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 11_2_03232B48 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory, 11_2_03232B48
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 11_2_03237BA6 NtProtectVirtualMemory, 11_2_03237BA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 11_2_03232BC8 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory, 11_2_03232BC8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 11_2_03233C71 LdrInitializeThunk,NtProtectVirtualMemory, 11_2_03233C71
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 11_2_0323809C NtSetInformationThread, 11_2_0323809C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 11_2_03238521 NtSetInformationThread, 11_2_03238521
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 11_2_03238336 NtSetInformationThread, 11_2_03238336
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 11_2_03238544 NtSetInformationThread, 11_2_03238544
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 11_2_03238151 NtSetInformationThread, 11_2_03238151
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 11_2_03238382 NtSetInformationThread, 11_2_03238382
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 11_2_03238195 NtSetInformationThread, 11_2_03238195
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 11_2_03232B9A TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory, 11_2_03232B9A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 11_2_032385ED NtSetInformationThread, 11_2_032385ED
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 11_2_03233BF3 LdrInitializeThunk,NtProtectVirtualMemory, 11_2_03233BF3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 11_2_03237FF5 NtProtectVirtualMemory, 11_2_03237FF5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 11_2_032383CF NtSetInformationThread, 11_2_032383CF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 11_2_032381D6 NtSetInformationThread, 11_2_032381D6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 11_2_0323841B NtSetInformationThread, 11_2_0323841B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 11_2_03238462 NtSetInformationThread, 11_2_03238462
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 11_2_03233C6A LdrInitializeThunk,NtProtectVirtualMemory, 11_2_03233C6A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 11_2_03232C6E NtProtectVirtualMemory, 11_2_03232C6E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 11_2_03233CA0 LdrInitializeThunk,NtProtectVirtualMemory, 11_2_03233CA0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 11_2_032380B3 NtSetInformationThread, 11_2_032380B3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 11_2_032382E6 NtSetInformationThread, 11_2_032382E6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 11_2_032380FD NtSetInformationThread, 11_2_032380FD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 11_2_03232AC8 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory, 11_2_03232AC8
PE file contains strange resources
Source: SWIFT Payment Advise 39 430-25.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: SWIFT Payment Advise 39 430-25.exe, 00000000.00000002.373593850.0000000002330000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs SWIFT Payment Advise 39 430-25.exe
Source: SWIFT Payment Advise 39 430-25.exe, 00000000.00000002.374797254.0000000002CA0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs SWIFT Payment Advise 39 430-25.exe
Source: SWIFT Payment Advise 39 430-25.exe, 00000000.00000000.228478344.0000000000419000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamePlateaued1.exe vs SWIFT Payment Advise 39 430-25.exe
Source: SWIFT Payment Advise 39 430-25.exe, 00000000.00000002.373551867.00000000021D0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs SWIFT Payment Advise 39 430-25.exe
Source: SWIFT Payment Advise 39 430-25.exe Binary or memory string: OriginalFilenamePlateaued1.exe vs SWIFT Payment Advise 39 430-25.exe
Uses 32bit PE files
Source: SWIFT Payment Advise 39 430-25.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal100.rans.troj.spyw.evad.winEXE@3/2@5/2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\eb42b1a5c308fc11edf1ddbdd25c8486_d06ed635-68f6-4e9a-955c-4899f5f57b9a Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Mutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
Source: SWIFT Payment Advise 39 430-25.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: SWIFT Payment Advise 39 430-25.exe ReversingLabs: Detection: 27%
Source: unknown Process created: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe 'C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe'
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe'
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe' Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 0000000B.00000002.497022856.0000000003232000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ieinstal.exe PID: 6896, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: SWIFT Payment Advise 39 430-25.exe PID: 5960, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_0040F8F4 push edx; ret 0_2_00410FFE
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_00406EE2 push 00000075h; retf 0_2_00406EE4
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C15107 pushfd ; iretd 0_2_02C15108
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe RDTSC instruction interceptor: First address: 0000000002C10D13 second address: 0000000002C10D13 instructions:
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe RDTSC instruction interceptor: First address: 0000000002C13511 second address: 0000000002C13511 instructions:
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe RDTSC instruction interceptor: First address: 0000000003232B0B second address: 0000000003232B0B instructions:
Tries to detect Any.run
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: ieinstal.exe Binary or memory string: ROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: SWIFT Payment Advise 39 430-25.exe, ieinstal.exe Binary or memory string: AM FILES\QEMU-GA\QEMU-GA.EXE
Source: SWIFT Payment Advise 39 430-25.exe, 00000000.00000002.374612274.0000000002C10000.00000040.00000001.sdmp, ieinstal.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe RDTSC instruction interceptor: First address: 0000000002C13A3E second address: 0000000002C13E98 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add eax, 40h 0x00000006 add eax, 04h 0x00000009 mov eax, dword ptr [eax] 0x0000000b ret 0x0000000c mov dword ptr [ebp+4Ch], eax 0x0000000f test dl, al 0x00000011 call 00007F8C549E36C2h 0x00000016 push dword ptr [ebp+20h] 0x00000019 jmp 00007F8C549E0616h 0x0000001b cmp si, 734Dh 0x00000020 pop dword ptr [ebp+00000128h] 0x00000026 test dl, 0000001Fh 0x00000029 mov dword ptr [ebp+68h], 00000000h 0x00000030 test bx, dx 0x00000033 jmp 00007F8C549E166Eh 0x00000038 call 00007F8C549DF537h 0x0000003d pop dword ptr [ebp+64h] 0x00000040 cmp dh, ah 0x00000042 jmp 00007F8C549E130Eh 0x00000047 call 00007F8C549DF89Bh 0x0000004c test dl, bl 0x0000004e pop dword ptr [ebp+6Ch] 0x00000051 jmp 00007F8C549E061Ah 0x00000053 test bx, ax 0x00000056 mov dword ptr [ebp+70h], 00000001h 0x0000005d mov dword ptr [ebp+74h], 00000000h 0x00000064 mov dword ptr [ebp+000000ACh], 0001A000h 0x0000006e cmp esi, 263408DCh 0x00000074 mov dword ptr [ebp+7Ch], 00000000h 0x0000007b pushad 0x0000007c mov eax, 0000004Fh 0x00000081 rdtsc
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe RDTSC instruction interceptor: First address: 0000000002C13E98 second address: 0000000002C10D13 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 test cx, cx 0x00000006 jmp 00007F8C544BC783h 0x0000000b call 00007F8C544BB2A2h 0x00000010 pop dword ptr [ebp+000000B8h] 0x00000016 cmp ecx, ebx 0x00000018 push dword ptr fs:[000000C0h] 0x0000001f pop dword ptr [ebp+48h] 0x00000022 cmp dl, dl 0x00000024 ret 0x00000025 cmp al, cl 0x00000027 cmp dx, ax 0x0000002a mov ecx, dword ptr [ebp+5Ch] 0x0000002d jmp 00007F8C544BBD56h 0x0000002f test ch, FFFFFF92h 0x00000032 test al, cl 0x00000034 mov edx, BAEF4789h 0x00000039 pushad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe RDTSC instruction interceptor: First address: 0000000002C10D13 second address: 0000000002C10D13 instructions:
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe RDTSC instruction interceptor: First address: 0000000002C13511 second address: 0000000002C13511 instructions:
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe RDTSC instruction interceptor: First address: 0000000003233A3E second address: 0000000003233E98 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add eax, 40h 0x00000006 add eax, 04h 0x00000009 mov eax, dword ptr [eax] 0x0000000b ret 0x0000000c mov dword ptr [ebp+4Ch], eax 0x0000000f test dl, al 0x00000011 call 00007F8C549E36C2h 0x00000016 push dword ptr [ebp+20h] 0x00000019 jmp 00007F8C549E0616h 0x0000001b cmp si, 734Dh 0x00000020 pop dword ptr [ebp+00000128h] 0x00000026 test dl, 0000001Fh 0x00000029 mov dword ptr [ebp+68h], 00000000h 0x00000030 test bx, dx 0x00000033 jmp 00007F8C549E166Eh 0x00000038 call 00007F8C549DF537h 0x0000003d pop dword ptr [ebp+64h] 0x00000040 cmp dh, ah 0x00000042 jmp 00007F8C549E130Eh 0x00000047 call 00007F8C549DF89Bh 0x0000004c test dl, bl 0x0000004e pop dword ptr [ebp+6Ch] 0x00000051 jmp 00007F8C549E061Ah 0x00000053 test bx, ax 0x00000056 mov dword ptr [ebp+70h], 00000001h 0x0000005d mov dword ptr [ebp+74h], 00000000h 0x00000064 mov dword ptr [ebp+000000ACh], 0001A000h 0x0000006e cmp esi, 263408DCh 0x00000074 mov dword ptr [ebp+7Ch], 00000000h 0x0000007b pushad 0x0000007c mov eax, 0000004Fh 0x00000081 rdtsc
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe RDTSC instruction interceptor: First address: 0000000003232B0B second address: 0000000003232B0B instructions:
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C172C6 rdtsc 0_2_02C172C6
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Window / User API: threadDelayed 3263 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 5384 Thread sleep count: 3263 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Last function: Thread delayed
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread sleep count: Count: 3263 delay: -5 Jump to behavior
Source: SWIFT Payment Advise 39 430-25.exe, 00000000.00000002.374797254.0000000002CA0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: SWIFT Payment Advise 39 430-25.exe, ieinstal.exe Binary or memory string: am Files\Qemu-ga\qemu-ga.exe
Source: ieinstal.exe Binary or memory string: rogram Files\Qemu-ga\qemu-ga.exe
Source: SWIFT Payment Advise 39 430-25.exe, 00000000.00000002.374797254.0000000002CA0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: SWIFT Payment Advise 39 430-25.exe, 00000000.00000002.374797254.0000000002CA0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: SWIFT Payment Advise 39 430-25.exe, 00000000.00000002.374612274.0000000002C10000.00000040.00000001.sdmp, ieinstal.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: SWIFT Payment Advise 39 430-25.exe, 00000000.00000002.374797254.0000000002CA0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C1073E NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000020,02C12FE0,00000000,00000000,00000000 0_2_02C1073E
Hides threads from debuggers
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C172C6 rdtsc 0_2_02C172C6
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C13F01 LdrInitializeThunk, 0_2_02C13F01
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C172C6 mov eax, dword ptr fs:[00000030h] 0_2_02C172C6
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C166D1 mov eax, dword ptr fs:[00000030h] 0_2_02C166D1
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C12696 mov eax, dword ptr fs:[00000030h] 0_2_02C12696
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C126A2 mov eax, dword ptr fs:[00000030h] 0_2_02C126A2
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C13A29 mov eax, dword ptr fs:[00000030h] 0_2_02C13A29
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C16CCE mov eax, dword ptr fs:[00000030h] 0_2_02C16CCE
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C12004 mov eax, dword ptr fs:[00000030h] 0_2_02C12004
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C17589 mov eax, dword ptr fs:[00000030h] 0_2_02C17589
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C175BB mov eax, dword ptr fs:[00000030h] 0_2_02C175BB
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C17565 mov eax, dword ptr fs:[00000030h] 0_2_02C17565
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C1296B mov eax, dword ptr fs:[00000030h] 0_2_02C1296B
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C1293D mov eax, dword ptr fs:[00000030h] 0_2_02C1293D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 11_2_03237565 mov eax, dword ptr fs:[00000030h] 11_2_03237565
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 11_2_032375BB mov eax, dword ptr fs:[00000030h] 11_2_032375BB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 11_2_03237589 mov eax, dword ptr fs:[00000030h] 11_2_03237589
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 11_2_032339E0 mov eax, dword ptr fs:[00000030h] 11_2_032339E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 11_2_032339E7 mov eax, dword ptr fs:[00000030h] 11_2_032339E7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 11_2_03236CCE mov eax, dword ptr fs:[00000030h] 11_2_03236CCE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 11_2_032366D1 mov eax, dword ptr fs:[00000030h] 11_2_032366D1
Enables debug privileges
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 11_2_03232BC8 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory, 11_2_03232BC8

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 3230000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe' Jump to behavior
Source: ieinstal.exe, 0000000B.00000002.497857742.0000000003B20000.00000002.00000001.sdmp Binary or memory string: uProgram Manager
Source: ieinstal.exe, 0000000B.00000002.497857742.0000000003B20000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: ieinstal.exe, 0000000B.00000002.497857742.0000000003B20000.00000002.00000001.sdmp Binary or memory string: Progman
Source: ieinstal.exe, 0000000B.00000002.497857742.0000000003B20000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SWIFT Payment Advise 39 430-25.exe Code function: 0_2_02C13646 cpuid 0_2_02C13646
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 385257 Sample: SWIFT Payment Advise 39 430... Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 14 becharnise.ir 2->14 22 Potential malicious icon found 2->22 24 Found malware configuration 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 9 other signatures 2->28 7 SWIFT Payment Advise 39 430-25.exe 1 2->7         started        signatures3 process4 signatures5 30 Writes to foreign memory regions 7->30 32 Tries to detect Any.run 7->32 34 Hides threads from debuggers 7->34 10 ieinstal.exe 34 7->10         started        process6 dnsIp7 16 googlehosted.l.googleusercontent.com 216.58.215.225, 443, 49708 GOOGLEUS United States 10->16 18 becharnise.ir 194.5.178.163, 80 BERBIDSERVERIR Iran (ISLAMIC Republic Of) 10->18 20 doc-0s-40-docs.googleusercontent.com 10->20 36 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 10->36 38 Tries to steal Mail credentials (via file access) 10->38 40 Tries to harvest and steal ftp login credentials 10->40 42 3 other signatures 10->42 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
216.58.215.225
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
194.5.178.163
 becharnise.ir Iran (ISLAMIC Republic Of)
200406 BERBIDSERVERIR false

Contacted Domains

Name IP Active
becharnise.ir 194.5.178.163 true
googlehosted.l.googleusercontent.com 216.58.215.225 true
doc-0s-40-docs.googleusercontent.com unknown unknown