Analysis Report PP05492110.exe

Overview

General Information

Sample Name:	PP05492110.exe
Analysis ID:	385457
MD5:	9cb24f7919feb0b91ff6071d6fddbaf6
SHA1:	4910e701802ff270266954f34bd384fcf987d429
SHA256:	e14114a3eabaaf81a42459e2dab69cf044fe90909d7bf7ccb9db62e4d12a51ce
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Creates a DirectInput object (often for capturing keystrokes)

Detected potential crypto function

PE file contains an invalid checksum

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000000.00000002.753553871.0000000000500000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=15OztyABrKIbvulchlM9fuv9fi1p1lVIL", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}

Machine Learning detection for sample

Source: PP05492110.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: PP05492110.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\PP05492110.exe	Code function: 0_2_0041A3EC __vbaChkstk,__vbaRecUniToAnsi,__vbaStrToAnsi,FindFirstFileA,__vbaSetSystemError,__vbaRecAnsiToUni,__vbaFreeStr,__vbaEnd,#593,__vbaFreeVar,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaFreeStr,#619,__vbaVarTstNe,__vbaFreeVar,__vbaFpI4,__vbaHresultCheckObj,#693,__vbaVarDup,#600,__vbaFreeVar,__vbaFreeStr,		0_2_0041A3EC
Source: C:\Users\user\Desktop\PP05492110.exe	Code function: 0_2_004138E4 FindFirstFileA,		0_2_004138E4

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=15OztyABrKIbvulchlM9fuv9fi1p1lVIL

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: PP05492110.exe, 00000000.00000002.753871961.000000000069A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\PP05492110.exe

Process Stats: CPU usage > 98%

Detected potential crypto function

Source: C:\Users\user\Desktop\PP05492110.exe

Code function: 0_2_0040D647

0_2_0040D647

PE file contains strange resources

Source: PP05492110.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PP05492110.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: PP05492110.exe, 00000000.00000000.229065756.000000000041F000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLaboredly5.exe vs PP05492110.exe
Source: PP05492110.exe, 00000000.00000002.754349737.0000000002130000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLaboredly5.exeFE2XPana-sonic vs PP05492110.exe
Source: PP05492110.exe, 00000000.00000002.753767529.0000000000640000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs PP05492110.exe
Source: PP05492110.exe	Binary or memory string: OriginalFilenameLaboredly5.exe vs PP05492110.exe

Uses 32bit PE files

Source: PP05492110.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal72.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\PP05492110.exe

File created: C:\Users\user\AppData\Local\Temp\~DF9B833C04D7FE5A04.TMP

Jump to behavior

Source: PP05492110.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PP05492110.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\PP05492110.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.753553871.0000000000500000.00000040.00000001.sdmp, type: MEMORY

PE file contains an invalid checksum

Source: PP05492110.exe

Static PE information: real checksum: 0x33b86 should be: 0x2f77b

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\PP05492110.exe	Code function: 0_2_00404C82 push E441211Ah; ret	0_2_00404C88
Source: C:\Users\user\Desktop\PP05492110.exe	Code function: 0_2_00406505 push ebx; retf	0_2_0040650F
Source: C:\Users\user\Desktop\PP05492110.exe	Code function: 0_2_00406510 push ebx; retf	0_2_0040650F
Source: C:\Users\user\Desktop\PP05492110.exe	Code function: 0_2_0040D647 pushfd ; iretd	0_2_0040D877
Source: C:\Users\user\Desktop\PP05492110.exe	Code function: 0_2_0040BA7D push 7600FFCEh; iretd	0_2_0040BA82
Source: C:\Users\user\Desktop\PP05492110.exe	Code function: 0_2_00401B43 push edi; ret	0_2_00401B53
Source: C:\Users\user\Desktop\PP05492110.exe	Code function: 0_2_0040AF47 push ebp; ret	0_2_0040AF4B

Source: C:\Users\user\Desktop\PP05492110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PP05492110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PP05492110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PP05492110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PP05492110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PP05492110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PP05492110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PP05492110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PP05492110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PP05492110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\PP05492110.exe	RDTSC instruction interceptor: First address: 00000000004092A7 second address: 00000000004092A7 instructions: 0x00000000 rdtsc 0x00000002 cmp eax, 000000C7h 0x00000007 fucom st(1), st(0) 0x00000009 fsincos 0x0000000b pxor mm2, mm4 0x0000000e fsubp st(2), st(0) 0x00000010 fdecstp 0x00000012 fldpi 0x00000014 jmp 00007FDE6CAD8ECAh 0x00000016 cmp ebx, 4Ah 0x00000019 cmp eax, 000000EAh 0x0000001e cmp eax, 000000B8h 0x00000023 cmp ebx, 000000A9h 0x00000029 cmp eax, 000000A3h 0x0000002e cmp edi, 02EAFF40h 0x00000034 movd mm1, ebx 0x00000037 movd mm1, ebx 0x0000003a psraw xmm3, xmm3 0x0000003e paddusw xmm6, xmm4 0x00000042 fcos 0x00000044 fyl2xp1 0x00000046 fldlg2 0x00000048 fabs 0x0000004a fcomp st(0), st(6) 0x0000004c jmp 00007FDE6CAD8EC7h 0x0000004e movd mm1, ebx 0x00000051 movd mm1, ebx 0x00000054 jne 00007FDE6CAD8CE6h 0x0000005a inc edi 0x0000005b fdecstp 0x0000005d fmul st(0), st(6) 0x0000005f pand xmm6, xmm3 0x00000063 fsubrp st(2), st(0) 0x00000065 psrlw xmm5, 32h 0x0000006a emms 0x0000006c wait 0x0000006d fnclex 0x0000006f fsubp st(7), st(0) 0x00000071 paddsw xmm3, xmm3 0x00000075 jmp 00007FDE6CAD8EC7h 0x00000077 cmp ebx, 05h 0x0000007a cmp ebx, 000000C1h 0x00000080 cmp eax, 000000A4h 0x00000085 cmp eax, 17h 0x00000088 cmp ebx, 3Eh 0x0000008b cmp eax, 1Dh 0x0000008e rdtsc
Source: C:\Users\user\Desktop\PP05492110.exe	RDTSC instruction interceptor: First address: 00000000005033F0 second address: 00000000005033F0 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FDE6CEFE954h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 jmp 00007FDE6CEFE94Ah 0x00000022 test al, cl 0x00000024 dec ecx 0x00000025 cmp ecx, 00000000h 0x00000028 jne 00007FDE6CEFE902h 0x0000002a clc 0x0000002b push ecx 0x0000002c cmp ax, 00008F45h 0x00000030 call 00007FDE6CEFE96Eh 0x00000035 call 00007FDE6CEFE964h 0x0000003a lfence 0x0000003d mov edx, dword ptr [7FFE0014h] 0x00000043 lfence 0x00000046 ret 0x00000047 mov esi, edx 0x00000049 pushad 0x0000004a rdtsc

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\PP05492110.exe	Code function: 0_2_0041A3EC __vbaChkstk,__vbaRecUniToAnsi,__vbaStrToAnsi,FindFirstFileA,__vbaSetSystemError,__vbaRecAnsiToUni,__vbaFreeStr,__vbaEnd,#593,__vbaFreeVar,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaFreeStr,#619,__vbaVarTstNe,__vbaFreeVar,__vbaFpI4,__vbaHresultCheckObj,#693,__vbaVarDup,#600,__vbaFreeVar,__vbaFreeStr,		0_2_0041A3EC
Source: C:\Users\user\Desktop\PP05492110.exe	Code function: 0_2_004138E4 FindFirstFileA,		0_2_004138E4

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\PP05492110.exe

Process Stats: CPU usage > 90% for more than 60s

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: PP05492110.exe, 00000000.00000002.754099835.0000000000D20000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: PP05492110.exe, 00000000.00000002.754099835.0000000000D20000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: PP05492110.exe, 00000000.00000002.754099835.0000000000D20000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: PP05492110.exe, 00000000.00000002.754099835.0000000000D20000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: PP05492110.exe, 00000000.00000002.754099835.0000000000D20000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	385457
Product:	CloudBasic
Start time:	14:44:39
Start date:	12.04.2021
Sample:	PP05492110.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	9cb24f7919feb0b91ff6071d6fddbaf6
SHA1:	4910e701802ff270266954f34bd384fcf987d429
SHA256:	e14114a3eabaaf81a42459e2dab69cf044fe90909d7bf7ccb9db62e4d12a51ce
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Analysis Report PP05492110.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map