Source: 00000000.00000002.753553871.0000000000500000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=15OztyABrKIbvulchlM9fuv9fi1p1lVIL", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]} |
Source: PP05492110.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\PP05492110.exe |
Code function: 0_2_0041A3EC __vbaChkstk,__vbaRecUniToAnsi,__vbaStrToAnsi,FindFirstFileA,__vbaSetSystemError,__vbaRecAnsiToUni,__vbaFreeStr,__vbaEnd,#593,__vbaFreeVar,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaFreeStr,#619,__vbaVarTstNe,__vbaFreeVar,__vbaFpI4,__vbaHresultCheckObj,#693,__vbaVarDup,#600,__vbaFreeVar,__vbaFreeStr, |
0_2_0041A3EC |
Source: C:\Users\user\Desktop\PP05492110.exe |
Code function: 0_2_004138E4 FindFirstFileA, |
0_2_004138E4 |
Source: Malware configuration extractor |
URLs: https://drive.google.com/uc?export=download&id=15OztyABrKIbvulchlM9fuv9fi1p1lVIL |
Source: PP05492110.exe, 00000000.00000002.753871961.000000000069A000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: C:\Users\user\Desktop\PP05492110.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\PP05492110.exe |
Code function: 0_2_0040D647 |
0_2_0040D647 |
Source: PP05492110.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: PP05492110.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: PP05492110.exe, 00000000.00000000.229065756.000000000041F000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameLaboredly5.exe vs PP05492110.exe |
Source: PP05492110.exe, 00000000.00000002.754349737.0000000002130000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameLaboredly5.exeFE2XPana-sonic vs PP05492110.exe |
Source: PP05492110.exe, 00000000.00000002.753767529.0000000000640000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs PP05492110.exe |
Source: PP05492110.exe |
Binary or memory string: OriginalFilenameLaboredly5.exe vs PP05492110.exe |
Source: PP05492110.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal72.troj.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\PP05492110.exe |
File created: C:\Users\user\AppData\Local\Temp\~DF9B833C04D7FE5A04.TMP |
Jump to behavior |
Source: PP05492110.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\PP05492110.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\PP05492110.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: Yara match |
File source: 00000000.00000002.753553871.0000000000500000.00000040.00000001.sdmp, type: MEMORY |
Source: PP05492110.exe |
Static PE information: real checksum: 0x33b86 should be: 0x2f77b |
Source: C:\Users\user\Desktop\PP05492110.exe |
Code function: 0_2_00404C82 push E441211Ah; ret |
0_2_00404C88 |
Source: C:\Users\user\Desktop\PP05492110.exe |
Code function: 0_2_00406505 push ebx; retf |
0_2_0040650F |
Source: C:\Users\user\Desktop\PP05492110.exe |
Code function: 0_2_00406510 push ebx; retf |
0_2_0040650F |
Source: C:\Users\user\Desktop\PP05492110.exe |
Code function: 0_2_0040D647 pushfd ; iretd |
0_2_0040D877 |
Source: C:\Users\user\Desktop\PP05492110.exe |
Code function: 0_2_0040BA7D push 7600FFCEh; iretd |
0_2_0040BA82 |
Source: C:\Users\user\Desktop\PP05492110.exe |
Code function: 0_2_00401B43 push edi; ret |
0_2_00401B53 |
Source: C:\Users\user\Desktop\PP05492110.exe |
Code function: 0_2_0040AF47 push ebp; ret |
0_2_0040AF4B |
Source: C:\Users\user\Desktop\PP05492110.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PP05492110.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PP05492110.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PP05492110.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PP05492110.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PP05492110.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PP05492110.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PP05492110.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PP05492110.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PP05492110.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PP05492110.exe |
RDTSC instruction interceptor: First address: 00000000004092A7 second address: 00000000004092A7 instructions: 0x00000000 rdtsc 0x00000002 cmp eax, 000000C7h 0x00000007 fucom st(1), st(0) 0x00000009 fsincos 0x0000000b pxor mm2, mm4 0x0000000e fsubp st(2), st(0) 0x00000010 fdecstp 0x00000012 fldpi 0x00000014 jmp 00007FDE6CAD8ECAh 0x00000016 cmp ebx, 4Ah 0x00000019 cmp eax, 000000EAh 0x0000001e cmp eax, 000000B8h 0x00000023 cmp ebx, 000000A9h 0x00000029 cmp eax, 000000A3h 0x0000002e cmp edi, 02EAFF40h 0x00000034 movd mm1, ebx 0x00000037 movd mm1, ebx 0x0000003a psraw xmm3, xmm3 0x0000003e paddusw xmm6, xmm4 0x00000042 fcos 0x00000044 fyl2xp1 0x00000046 fldlg2 0x00000048 fabs 0x0000004a fcomp st(0), st(6) 0x0000004c jmp 00007FDE6CAD8EC7h 0x0000004e movd mm1, ebx 0x00000051 movd mm1, ebx 0x00000054 jne 00007FDE6CAD8CE6h 0x0000005a inc edi 0x0000005b fdecstp 0x0000005d fmul st(0), st(6) 0x0000005f pand xmm6, xmm3 0x00000063 fsubrp st(2), st(0) 0x00000065 psrlw xmm5, 32h 0x0000006a emms 0x0000006c wait 0x0000006d fnclex 0x0000006f fsubp st(7), st(0) 0x00000071 paddsw xmm3, xmm3 0x00000075 jmp 00007FDE6CAD8EC7h 0x00000077 cmp ebx, 05h 0x0000007a cmp ebx, 000000C1h 0x00000080 cmp eax, 000000A4h 0x00000085 cmp eax, 17h 0x00000088 cmp ebx, 3Eh 0x0000008b cmp eax, 1Dh 0x0000008e rdtsc |
Source: C:\Users\user\Desktop\PP05492110.exe |
RDTSC instruction interceptor: First address: 00000000005033F0 second address: 00000000005033F0 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FDE6CEFE954h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 jmp 00007FDE6CEFE94Ah 0x00000022 test al, cl 0x00000024 dec ecx 0x00000025 cmp ecx, 00000000h 0x00000028 jne 00007FDE6CEFE902h 0x0000002a clc 0x0000002b push ecx 0x0000002c cmp ax, 00008F45h 0x00000030 call 00007FDE6CEFE96Eh 0x00000035 call 00007FDE6CEFE964h 0x0000003a lfence 0x0000003d mov edx, dword ptr [7FFE0014h] 0x00000043 lfence 0x00000046 ret 0x00000047 mov esi, edx 0x00000049 pushad 0x0000004a rdtsc |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\PP05492110.exe |
Code function: 0_2_0041A3EC __vbaChkstk,__vbaRecUniToAnsi,__vbaStrToAnsi,FindFirstFileA,__vbaSetSystemError,__vbaRecAnsiToUni,__vbaFreeStr,__vbaEnd,#593,__vbaFreeVar,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaFreeStr,#619,__vbaVarTstNe,__vbaFreeVar,__vbaFpI4,__vbaHresultCheckObj,#693,__vbaVarDup,#600,__vbaFreeVar,__vbaFreeStr, |
0_2_0041A3EC |
Source: C:\Users\user\Desktop\PP05492110.exe |
Code function: 0_2_004138E4 FindFirstFileA, |
0_2_004138E4 |
Source: C:\Users\user\Desktop\PP05492110.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: PP05492110.exe, 00000000.00000002.754099835.0000000000D20000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: PP05492110.exe, 00000000.00000002.754099835.0000000000D20000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: PP05492110.exe, 00000000.00000002.754099835.0000000000D20000.00000002.00000001.sdmp |
Binary or memory string: SProgram Managerl |
Source: PP05492110.exe, 00000000.00000002.754099835.0000000000D20000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd, |
Source: PP05492110.exe, 00000000.00000002.754099835.0000000000D20000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |