Analysis Report SBG-1100319PurchaseOrder.exe

Overview

General Information

Sample Name: SBG-1100319PurchaseOrder.exe
Analysis ID: 388089
MD5: 2dd62d78b9f7e9c5529502e085b55756
SHA1: 151d4cd68958df35ae706cc232627a05e923307f
SHA256: c63a3f86be406a11e8f7760403e407a97441753205f8cef432fd634856ca2992
Tags: exeRATRemcosRAT
Infos:

Most interesting Screenshot:

Detection

Remcos GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Potential malicious icon found
Sigma detected: Remcos
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?cid=1685231EC8E4EC43&resid=1685231EC8E4EC43%2"}

Compliance:

barindex
Uses 32bit PE files
Source: SBG-1100319PurchaseOrder.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://onedrive.live.com/download?cid=1685231EC8E4EC43&resid=1685231EC8E4EC43%2
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49722 -> 79.134.225.124:2048
Source: unknown DNS traffic detected: queries for: onedrive.live.com
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502229070.0000000000971000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502229070.0000000000971000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502229070.0000000000971000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502105694.0000000000929000.00000004.00000020.sdmp String found in binary or memory: https://onedrive.live.com/
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502105694.0000000000929000.00000004.00000020.sdmp String found in binary or memory: https://onedrive.live.com/b
Source: SBG-1100319PurchaseOrder.exe, filename1.exe, 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp String found in binary or memory: https://onedrive.live.com/download?cid=1685231EC8E4EC43&resid=1685231EC8E4EC43%21505&authkey=ANKqoxx
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000003.345228305.0000000000971000.00000004.00000001.sdmp, SBG-1100319PurchaseOrder.exe, 00000002.00000002.502175655.000000000094A000.00000004.00000020.sdmp String found in binary or memory: https://vug8la.am.files.1drv.com/
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502229070.0000000000971000.00000004.00000020.sdmp, SBG-1100319PurchaseOrder.exe, 00000002.00000002.502196213.000000000095A000.00000004.00000020.sdmp String found in binary or memory: https://vug8la.am.files.1drv.com/y4mT1QYIp_fyTE8Fy0lLLYF_0s99rPZfbzgWA1b5QlZt4eQwn4RVNktZv9qdlLB64Ai

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a global keyboard hook
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Jump to behavior
Creates a DirectInput object (often for capturing keystrokes)
Source: SBG-1100319PurchaseOrder.exe, 00000000.00000002.254532475.000000000075A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: SBG-1100319PurchaseOrder.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_0056616E NtSetInformationThread, 2_2_0056616E
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_00565D24 NtProtectVirtualMemory, 2_2_00565D24
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_0056645C NtSetInformationThread, 2_2_0056645C
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_00566474 NtSetInformationThread, 2_2_00566474
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_0056640C NtSetInformationThread, 2_2_0056640C
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_0056642A NtSetInformationThread, 2_2_0056642A
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_005664D8 NtSetInformationThread, 2_2_005664D8
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_00565CCB NtProtectVirtualMemory, 2_2_00565CCB
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_005664FA NtSetInformationThread, 2_2_005664FA
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_00565CE1 NtProtectVirtualMemory, 2_2_00565CE1
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_0056648A NtSetInformationThread, 2_2_0056648A
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_00566174 NtSetInformationThread, 2_2_00566174
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_005661CE NtSetInformationThread, 2_2_005661CE
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_005661FE NtSetInformationThread, 2_2_005661FE
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_005661E8 NtSetInformationThread, 2_2_005661E8
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_0056618C NtSetInformationThread, 2_2_0056618C
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_005661B8 NtSetInformationThread, 2_2_005661B8
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_0056624A NtSetInformationThread, 2_2_0056624A
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_00566264 NtSetInformationThread, 2_2_00566264
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_0056621C NtSetInformationThread, 2_2_0056621C
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_005662CA NtSetInformationThread, 2_2_005662CA
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_005662F0 NtSetInformationThread, 2_2_005662F0
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_00566296 NtSetInformationThread, 2_2_00566296
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_00566280 NtSetInformationThread, 2_2_00566280
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_005662B4 NtSetInformationThread, 2_2_005662B4
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_0056635A NtSetInformationThread, 2_2_0056635A
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_0056636E NtSetInformationThread, 2_2_0056636E
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_00566306 NtSetInformationThread, 2_2_00566306
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_0056633C NtSetInformationThread, 2_2_0056633C
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_00566324 NtSetInformationThread, 2_2_00566324
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_005663C8 NtSetInformationThread, 2_2_005663C8
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_005663E0 NtSetInformationThread, 2_2_005663E0
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_0056638E NtSetInformationThread, 2_2_0056638E
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_005663AE NtSetInformationThread, 2_2_005663AE
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_0056616E NtSetInformationThread, 13_2_0056616E
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_00560500 EnumWindows,NtSetInformationThread, 13_2_00560500
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_00565D24 NtProtectVirtualMemory, 13_2_00565D24
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_00560754 NtProtectVirtualMemory, 13_2_00560754
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_00565787 NtSetInformationThread, 13_2_00565787
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_0056645C NtSetInformationThread, 13_2_0056645C
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_00566474 NtSetInformationThread, 13_2_00566474
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_0056506E NtSetInformationThread, 13_2_0056506E
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_0056640C NtSetInformationThread, 13_2_0056640C
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_0056642A NtSetInformationThread, 13_2_0056642A
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_005664D8 NtSetInformationThread, 13_2_005664D8
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_00565CCB NtProtectVirtualMemory, 13_2_00565CCB
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_005664FA NtSetInformationThread, 13_2_005664FA
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_00565CE1 NtProtectVirtualMemory, 13_2_00565CE1
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_0056648A NtSetInformationThread, 13_2_0056648A
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_00560D56 NtProtectVirtualMemory, 13_2_00560D56
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_00566174 NtSetInformationThread, 13_2_00566174
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_00566569 NtSetInformationThread, 13_2_00566569
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_00560D13 NtProtectVirtualMemory, 13_2_00560D13
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_00560D28 NtProtectVirtualMemory, 13_2_00560D28
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_005661CE NtSetInformationThread, 13_2_005661CE
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_005605CA NtSetInformationThread, 13_2_005605CA
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_005605F2 NtSetInformationThread, 13_2_005605F2
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_005661FE NtSetInformationThread, 13_2_005661FE
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_005661E8 NtSetInformationThread, 13_2_005661E8
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_00560586 NtSetInformationThread, 13_2_00560586
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_0056618C NtSetInformationThread, 13_2_0056618C
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_005661B8 NtSetInformationThread, 13_2_005661B8
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_00560DA8 NtProtectVirtualMemory, 13_2_00560DA8
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_0056624A NtSetInformationThread, 13_2_0056624A
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_00560664 NtSetInformationThread, 13_2_00560664
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_00566264 NtSetInformationThread, 13_2_00566264
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_0056621C NtSetInformationThread, 13_2_0056621C
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_0056062B NtSetInformationThread, 13_2_0056062B
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_005606D4 NtSetInformationThread, 13_2_005606D4
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_005662CA NtSetInformationThread, 13_2_005662CA
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_005662F0 NtSetInformationThread, 13_2_005662F0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_00566296 NtSetInformationThread, 13_2_00566296
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_00560698 NtSetInformationThread, 13_2_00560698
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_00566280 NtSetInformationThread, 13_2_00566280
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_005662B4 NtSetInformationThread, 13_2_005662B4
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_0056635A NtSetInformationThread, 13_2_0056635A
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_00564F76 NtSetInformationThread, 13_2_00564F76
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_0056636E NtSetInformationThread, 13_2_0056636E
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_00566306 NtSetInformationThread, 13_2_00566306
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_0056633C NtSetInformationThread, 13_2_0056633C
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_00566324 NtSetInformationThread, 13_2_00566324
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_005663C8 NtSetInformationThread, 13_2_005663C8
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_005663E0 NtSetInformationThread, 13_2_005663E0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_0056638E NtSetInformationThread, 13_2_0056638E
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_005663AE NtSetInformationThread, 13_2_005663AE
Detected potential crypto function
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 0_2_0223648A 0_2_0223648A
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_0056648A 2_2_0056648A
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_00564700 2_2_00564700
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 12_2_021C648A 12_2_021C648A
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_0056648A 13_2_0056648A
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_005665DA 13_2_005665DA
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_005629C7 13_2_005629C7
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_00564366 13_2_00564366
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_00565363 13_2_00565363
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_00564700 13_2_00564700
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_005643B0 13_2_005643B0
PE file contains strange resources
Source: SBG-1100319PurchaseOrder.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: filename1.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: SBG-1100319PurchaseOrder.exe, 00000000.00000002.254583063.0000000002200000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs SBG-1100319PurchaseOrder.exe
Source: SBG-1100319PurchaseOrder.exe, 00000000.00000002.254289363.0000000000432000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamehippoglossus.exe vs SBG-1100319PurchaseOrder.exe
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.507657061.000000001DEE0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs SBG-1100319PurchaseOrder.exe
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000000.253118213.0000000000432000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamehippoglossus.exe vs SBG-1100319PurchaseOrder.exe
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.507717247.000000001E030000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs SBG-1100319PurchaseOrder.exe
Source: SBG-1100319PurchaseOrder.exe Binary or memory string: OriginalFilenamehippoglossus.exe vs SBG-1100319PurchaseOrder.exe
Uses 32bit PE files
Source: SBG-1100319PurchaseOrder.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal100.rans.troj.spyw.evad.winEXE@8/3@62/1
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe File created: C:\Users\user\AppData\Roaming\remcos Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Mutant created: \Sessions\1\BaseNamedObjects\idll-WT08JM
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe File created: C:\Users\user\AppData\Local\Temp\subfolder1 Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder1\filename1.vbs'
Source: SBG-1100319PurchaseOrder.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe File read: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe 'C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe'
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Process created: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe 'C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe'
Source: unknown Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder1\filename1.vbs'
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Process created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Process created: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe 'C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe' Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Process created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.501532840.0000000000562000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: filename1.exe PID: 5516, type: MEMORY
Source: Yara match File source: Process Memory Space: SBG-1100319PurchaseOrder.exe PID: 6224, type: MEMORY
Source: Yara match File source: Process Memory Space: SBG-1100319PurchaseOrder.exe PID: 6352, type: MEMORY
Source: Yara match File source: Process Memory Space: filename1.exe PID: 5936, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: filename1.exe PID: 5516, type: MEMORY
Source: Yara match File source: Process Memory Space: SBG-1100319PurchaseOrder.exe PID: 6224, type: MEMORY
Source: Yara match File source: Process Memory Space: SBG-1100319PurchaseOrder.exe PID: 6352, type: MEMORY
Source: Yara match File source: Process Memory Space: filename1.exe PID: 5936, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 0_2_02235A0A push eax; ret 0_2_02235A0B
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_00563B8E pushad ; ret 2_2_00563BA2
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 12_2_021C5A0A push eax; ret 12_2_021C5A0B
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_005629C7 pushad ; ret 13_2_00563BA2
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_00563B8E pushad ; ret 13_2_00563BA2

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe File created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Jump to dropped file

Boot Survival:

barindex
Creates autostart registry keys with suspicious values (likely registry only malware)
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\filename1.vbs Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\filename1.vbs Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_00562387 2_2_00562387
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_005623A6 13_2_005623A6
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe RDTSC instruction interceptor: First address: 0000000000563162 second address: 00000000005646F2 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, dword ptr [ebp+000000A0h] 0x00000010 mov edx, AC928EF4h 0x00000015 call 00007F1880CC5769h 0x0000001a jmp 00007F1880CC4242h 0x0000001c test cl, 00000039h 0x0000001f push esi 0x00000020 jmp 00007F1880CC4242h 0x00000022 cmp dx, ax 0x00000025 push edx 0x00000026 jmp 00007F1880CC4242h 0x00000028 pushad 0x00000029 lfence 0x0000002c rdtsc
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe RDTSC instruction interceptor: First address: 000000000056322C second address: 000000000056322C instructions:
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe RDTSC instruction interceptor: First address: 0000000000563162 second address: 00000000005646F2 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, dword ptr [ebp+000000A0h] 0x00000010 mov edx, AC928EF4h 0x00000015 call 00007F1880CC5769h 0x0000001a jmp 00007F1880CC4242h 0x0000001c test cl, 00000039h 0x0000001f push esi 0x00000020 jmp 00007F1880CC4242h 0x00000022 cmp dx, ax 0x00000025 push edx 0x00000026 jmp 00007F1880CC4242h 0x00000028 pushad 0x00000029 lfence 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe RDTSC instruction interceptor: First address: 000000000056322C second address: 000000000056322C instructions:
Tries to detect Any.run
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SBG-1100319PurchaseOrder.exe, filename1.exe, filename1.exe, 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe RDTSC instruction interceptor: First address: 000000000223033D second address: 00000000022346F2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b call 00007F1880CC92A9h 0x00000010 jmp 00007F1880CC4246h 0x00000012 test dh, bh 0x00000014 jmp 00007F1880CC4246h 0x00000016 cmp al, 27h 0x00000018 cmp ch, bh 0x0000001a test bh, dh 0x0000001c cmp cx, dx 0x0000001f nop 0x00000020 mov eax, 00000539h 0x00000025 mov ecx, dword ptr [ebp+1Ch] 0x00000028 mov edx, 8802EDACh 0x0000002d call 00007F1880CC34DAh 0x00000032 jmp 00007F1880CC4242h 0x00000034 test cl, 00000039h 0x00000037 push esi 0x00000038 jmp 00007F1880CC4242h 0x0000003a cmp dx, ax 0x0000003d push edx 0x0000003e jmp 00007F1880CC4242h 0x00000040 pushad 0x00000041 lfence 0x00000044 rdtsc
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe RDTSC instruction interceptor: First address: 00000000022346F2 second address: 0000000002234756 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007F1880CB64F2h 0x0000000e test ch, bh 0x00000010 jmp 00007F1880CB64F6h 0x00000012 test cl, bl 0x00000014 cmp eax, 00000539h 0x00000019 jne 00007F1880CB65E9h 0x0000001f push 6DDB9555h 0x00000024 jmp 00007F1880CB64F6h 0x00000026 pushad 0x00000027 mov edx, 00000015h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe RDTSC instruction interceptor: First address: 00000000022348F1 second address: 0000000002234988 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add eax, ebx 0x00000005 mov ebx, dword ptr [eax+78h] 0x00000008 jmp 00007F1880CC4242h 0x0000000a cmp eax, ebx 0x0000000c mov eax, dword ptr [ebp+04h] 0x0000000f add eax, ebx 0x00000011 mov ecx, dword ptr [eax+18h] 0x00000014 jmp 00007F1880CC4242h 0x00000016 test ecx, edx 0x00000018 mov dword ptr [ebp+08h], ecx 0x0000001b jmp 00007F1880CC4242h 0x0000001d test ch, bh 0x0000001f mov ecx, dword ptr [eax+1Ch] 0x00000022 mov dword ptr [ebp+14h], ecx 0x00000025 jmp 00007F1880CC4246h 0x00000027 test cl, bl 0x00000029 mov ecx, dword ptr [eax+24h] 0x0000002c mov dword ptr [ebp+10h], ecx 0x0000002f mov esi, dword ptr [eax+20h] 0x00000032 add esi, dword ptr [ebp+04h] 0x00000035 xor ecx, ecx 0x00000037 jmp 00007F1880CC4246h 0x00000039 pushad 0x0000003a mov edx, 0000002Eh 0x0000003f rdtsc
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe RDTSC instruction interceptor: First address: 000000000056033D second address: 00000000005646F2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b call 00007F1880CBB559h 0x00000010 jmp 00007F1880CB64F6h 0x00000012 test dh, bh 0x00000014 jmp 00007F1880CB64F6h 0x00000016 cmp al, 27h 0x00000018 cmp ch, bh 0x0000001a test bh, dh 0x0000001c cmp cx, dx 0x0000001f nop 0x00000020 mov eax, 00000539h 0x00000025 mov ecx, dword ptr [ebp+1Ch] 0x00000028 mov edx, 8802EDACh 0x0000002d call 00007F1880CB578Ah 0x00000032 jmp 00007F1880CB64F2h 0x00000034 test cl, 00000039h 0x00000037 push esi 0x00000038 jmp 00007F1880CB64F2h 0x0000003a cmp dx, ax 0x0000003d push edx 0x0000003e jmp 00007F1880CB64F2h 0x00000040 pushad 0x00000041 lfence 0x00000044 rdtsc
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe RDTSC instruction interceptor: First address: 00000000005646F2 second address: 0000000000564756 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007F1880CC4242h 0x0000000e test ch, bh 0x00000010 jmp 00007F1880CC4246h 0x00000012 test cl, bl 0x00000014 cmp eax, 00000539h 0x00000019 jne 00007F1880CC4339h 0x0000001f push 6DDB9555h 0x00000024 jmp 00007F1880CC4246h 0x00000026 pushad 0x00000027 mov edx, 00000015h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe RDTSC instruction interceptor: First address: 00000000005648F1 second address: 0000000000564988 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add eax, ebx 0x00000005 mov ebx, dword ptr [eax+78h] 0x00000008 jmp 00007F1880CB64F2h 0x0000000a cmp eax, ebx 0x0000000c mov eax, dword ptr [ebp+04h] 0x0000000f add eax, ebx 0x00000011 mov ecx, dword ptr [eax+18h] 0x00000014 jmp 00007F1880CB64F2h 0x00000016 test ecx, edx 0x00000018 mov dword ptr [ebp+08h], ecx 0x0000001b jmp 00007F1880CB64F2h 0x0000001d test ch, bh 0x0000001f mov ecx, dword ptr [eax+1Ch] 0x00000022 mov dword ptr [ebp+14h], ecx 0x00000025 jmp 00007F1880CB64F6h 0x00000027 test cl, bl 0x00000029 mov ecx, dword ptr [eax+24h] 0x0000002c mov dword ptr [ebp+10h], ecx 0x0000002f mov esi, dword ptr [eax+20h] 0x00000032 add esi, dword ptr [ebp+04h] 0x00000035 xor ecx, ecx 0x00000037 jmp 00007F1880CB64F6h 0x00000039 pushad 0x0000003a mov edx, 0000002Eh 0x0000003f rdtsc
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe RDTSC instruction interceptor: First address: 0000000000563162 second address: 00000000005646F2 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, dword ptr [ebp+000000A0h] 0x00000010 mov edx, AC928EF4h 0x00000015 call 00007F1880CC5769h 0x0000001a jmp 00007F1880CC4242h 0x0000001c test cl, 00000039h 0x0000001f push esi 0x00000020 jmp 00007F1880CC4242h 0x00000022 cmp dx, ax 0x00000025 push edx 0x00000026 jmp 00007F1880CC4242h 0x00000028 pushad 0x00000029 lfence 0x0000002c rdtsc
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe RDTSC instruction interceptor: First address: 000000000056322C second address: 000000000056322C instructions:
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe RDTSC instruction interceptor: First address: 00000000021C033D second address: 00000000021C46F2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b call 00007F18804EC169h 0x00000010 jmp 00007F18804E7106h 0x00000012 test dh, bh 0x00000014 jmp 00007F18804E7106h 0x00000016 cmp al, 27h 0x00000018 cmp ch, bh 0x0000001a test bh, dh 0x0000001c cmp cx, dx 0x0000001f nop 0x00000020 mov eax, 00000539h 0x00000025 mov ecx, dword ptr [ebp+1Ch] 0x00000028 mov edx, 8802EDACh 0x0000002d call 00007F18804E639Ah 0x00000032 jmp 00007F18804E7102h 0x00000034 test cl, 00000039h 0x00000037 push esi 0x00000038 jmp 00007F18804E7102h 0x0000003a cmp dx, ax 0x0000003d push edx 0x0000003e jmp 00007F18804E7102h 0x00000040 pushad 0x00000041 lfence 0x00000044 rdtsc
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe RDTSC instruction interceptor: First address: 00000000021C46F2 second address: 00000000021C4756 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007F1880CB64F2h 0x0000000e test ch, bh 0x00000010 jmp 00007F1880CB64F6h 0x00000012 test cl, bl 0x00000014 cmp eax, 00000539h 0x00000019 jne 00007F1880CB65E9h 0x0000001f push 6DDB9555h 0x00000024 jmp 00007F1880CB64F6h 0x00000026 pushad 0x00000027 mov edx, 00000015h 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe RDTSC instruction interceptor: First address: 00000000021C48F1 second address: 00000000021C4988 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add eax, ebx 0x00000005 mov ebx, dword ptr [eax+78h] 0x00000008 jmp 00007F1880CC4242h 0x0000000a cmp eax, ebx 0x0000000c mov eax, dword ptr [ebp+04h] 0x0000000f add eax, ebx 0x00000011 mov ecx, dword ptr [eax+18h] 0x00000014 jmp 00007F1880CC4242h 0x00000016 test ecx, edx 0x00000018 mov dword ptr [ebp+08h], ecx 0x0000001b jmp 00007F1880CC4242h 0x0000001d test ch, bh 0x0000001f mov ecx, dword ptr [eax+1Ch] 0x00000022 mov dword ptr [ebp+14h], ecx 0x00000025 jmp 00007F1880CC4246h 0x00000027 test cl, bl 0x00000029 mov ecx, dword ptr [eax+24h] 0x0000002c mov dword ptr [ebp+10h], ecx 0x0000002f mov esi, dword ptr [eax+20h] 0x00000032 add esi, dword ptr [ebp+04h] 0x00000035 xor ecx, ecx 0x00000037 jmp 00007F1880CC4246h 0x00000039 pushad 0x0000003a mov edx, 0000002Eh 0x0000003f rdtsc
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe RDTSC instruction interceptor: First address: 000000000056033D second address: 00000000005646F2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b call 00007F1880CBB559h 0x00000010 jmp 00007F1880CB64F6h 0x00000012 test dh, bh 0x00000014 jmp 00007F1880CB64F6h 0x00000016 cmp al, 27h 0x00000018 cmp ch, bh 0x0000001a test bh, dh 0x0000001c cmp cx, dx 0x0000001f nop 0x00000020 mov eax, 00000539h 0x00000025 mov ecx, dword ptr [ebp+1Ch] 0x00000028 mov edx, 8802EDACh 0x0000002d call 00007F1880CB578Ah 0x00000032 jmp 00007F1880CB64F2h 0x00000034 test cl, 00000039h 0x00000037 push esi 0x00000038 jmp 00007F1880CB64F2h 0x0000003a cmp dx, ax 0x0000003d push edx 0x0000003e jmp 00007F1880CB64F2h 0x00000040 pushad 0x00000041 lfence 0x00000044 rdtsc
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe RDTSC instruction interceptor: First address: 00000000005646F2 second address: 0000000000564756 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007F1880CC4242h 0x0000000e test ch, bh 0x00000010 jmp 00007F1880CC4246h 0x00000012 test cl, bl 0x00000014 cmp eax, 00000539h 0x00000019 jne 00007F1880CC4339h 0x0000001f push 6DDB9555h 0x00000024 jmp 00007F1880CC4246h 0x00000026 pushad 0x00000027 mov edx, 00000015h 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe RDTSC instruction interceptor: First address: 00000000005648F1 second address: 0000000000564988 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add eax, ebx 0x00000005 mov ebx, dword ptr [eax+78h] 0x00000008 jmp 00007F1880CB64F2h 0x0000000a cmp eax, ebx 0x0000000c mov eax, dword ptr [ebp+04h] 0x0000000f add eax, ebx 0x00000011 mov ecx, dword ptr [eax+18h] 0x00000014 jmp 00007F1880CB64F2h 0x00000016 test ecx, edx 0x00000018 mov dword ptr [ebp+08h], ecx 0x0000001b jmp 00007F1880CB64F2h 0x0000001d test ch, bh 0x0000001f mov ecx, dword ptr [eax+1Ch] 0x00000022 mov dword ptr [ebp+14h], ecx 0x00000025 jmp 00007F1880CB64F6h 0x00000027 test cl, bl 0x00000029 mov ecx, dword ptr [eax+24h] 0x0000002c mov dword ptr [ebp+10h], ecx 0x0000002f mov esi, dword ptr [eax+20h] 0x00000032 add esi, dword ptr [ebp+04h] 0x00000035 xor ecx, ecx 0x00000037 jmp 00007F1880CB64F6h 0x00000039 pushad 0x0000003a mov edx, 0000002Eh 0x0000003f rdtsc
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe RDTSC instruction interceptor: First address: 0000000000563162 second address: 00000000005646F2 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, dword ptr [ebp+000000A0h] 0x00000010 mov edx, AC928EF4h 0x00000015 call 00007F1880CC5769h 0x0000001a jmp 00007F1880CC4242h 0x0000001c test cl, 00000039h 0x0000001f push esi 0x00000020 jmp 00007F1880CC4242h 0x00000022 cmp dx, ax 0x00000025 push edx 0x00000026 jmp 00007F1880CC4242h 0x00000028 pushad 0x00000029 lfence 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe RDTSC instruction interceptor: First address: 000000000056322C second address: 000000000056322C instructions:
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 0_2_02235232 rdtsc 0_2_02235232
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe TID: 6804 Thread sleep count: 81 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe TID: 6804 Thread sleep time: -40500s >= -30000s Jump to behavior
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502105694.0000000000929000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAWXV
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502196213.000000000095A000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAWdwebpl
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502196213.000000000095A000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: SBG-1100319PurchaseOrder.exe, filename1.exe, filename1.exe, 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_00560500 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,00000000,00000000,00000000,00000000 13_2_00560500
Hides threads from debuggers
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 0_2_02235232 rdtsc 0_2_02235232
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_005638AC LdrInitializeThunk, 13_2_005638AC
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 0_2_0223465F mov eax, dword ptr fs:[00000030h] 0_2_0223465F
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 0_2_02231EEC mov eax, dword ptr fs:[00000030h] 0_2_02231EEC
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 0_2_02231ED8 mov eax, dword ptr fs:[00000030h] 0_2_02231ED8
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 0_2_02232ADD mov eax, dword ptr fs:[00000030h] 0_2_02232ADD
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 0_2_02231F14 mov eax, dword ptr fs:[00000030h] 0_2_02231F14
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 0_2_02234FA8 mov eax, dword ptr fs:[00000030h] 0_2_02234FA8
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 0_2_02231C8F mov eax, dword ptr fs:[00000030h] 0_2_02231C8F
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_00565810 mov eax, dword ptr fs:[00000030h] 2_2_00565810
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_0056465F mov eax, dword ptr fs:[00000030h] 2_2_0056465F
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_00562AC6 mov eax, dword ptr fs:[00000030h] 2_2_00562AC6
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_005657DC mov eax, dword ptr fs:[00000030h] 2_2_005657DC
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_005657C0 mov eax, dword ptr fs:[00000030h] 2_2_005657C0
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_00565787 mov eax, dword ptr fs:[00000030h] 2_2_00565787
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_0056578A mov eax, dword ptr fs:[00000030h] 2_2_0056578A
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Code function: 2_2_00564FA8 mov eax, dword ptr fs:[00000030h] 2_2_00564FA8
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 12_2_021C465F mov eax, dword ptr fs:[00000030h] 12_2_021C465F
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 12_2_021C2ADD mov eax, dword ptr fs:[00000030h] 12_2_021C2ADD
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 12_2_021C1ED8 mov eax, dword ptr fs:[00000030h] 12_2_021C1ED8
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 12_2_021C1EEC mov eax, dword ptr fs:[00000030h] 12_2_021C1EEC
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 12_2_021C1F14 mov eax, dword ptr fs:[00000030h] 12_2_021C1F14
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 12_2_021C4FA8 mov eax, dword ptr fs:[00000030h] 12_2_021C4FA8
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 12_2_021C1C8F mov eax, dword ptr fs:[00000030h] 12_2_021C1C8F
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_00561ED8 mov eax, dword ptr fs:[00000030h] 13_2_00561ED8
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_00565787 mov eax, dword ptr fs:[00000030h] 13_2_00565787
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_00565810 mov eax, dword ptr fs:[00000030h] 13_2_00565810
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_00561C8F mov eax, dword ptr fs:[00000030h] 13_2_00561C8F
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_0056465F mov eax, dword ptr fs:[00000030h] 13_2_0056465F
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_00562ADD mov eax, dword ptr fs:[00000030h] 13_2_00562ADD
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_00561EEC mov eax, dword ptr fs:[00000030h] 13_2_00561EEC
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_00561F14 mov eax, dword ptr fs:[00000030h] 13_2_00561F14
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_0056171F mov eax, dword ptr fs:[00000030h] 13_2_0056171F
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_005657DC mov eax, dword ptr fs:[00000030h] 13_2_005657DC
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_005657C0 mov eax, dword ptr fs:[00000030h] 13_2_005657C0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_0056578A mov eax, dword ptr fs:[00000030h] 13_2_0056578A
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Code function: 13_2_00564FA8 mov eax, dword ptr fs:[00000030h] 13_2_00564FA8

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe Process created: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe 'C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe' Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Process created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe Jump to behavior
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502461561.0000000000FA0000.00000002.00000001.sdmp Binary or memory string: uProgram Manager
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502175655.000000000094A000.00000004.00000020.sdmp Binary or memory string: Program Manager
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502461561.0000000000FA0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502461561.0000000000FA0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502229070.0000000000971000.00000004.00000020.sdmp, logs.dat.2.dr Binary or memory string: [ Program Manager ]
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502461561.0000000000FA0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502229070.0000000000971000.00000004.00000020.sdmp Binary or memory string: Program Managerk\AppData\Local\Temp\subfolder1\filename1.vbs
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 388089 Sample: SBG-1100319PurchaseOrder.exe Startdate: 15/04/2021 Architecture: WINDOWS Score: 100 30 sheilabeltagy4m.hopto.org 2->30 32 micheal3m.hopto.org 2->32 46 Potential malicious icon found 2->46 48 Found malware configuration 2->48 50 Yara detected GuLoader 2->50 52 5 other signatures 2->52 8 SBG-1100319PurchaseOrder.exe 1 1 2->8         started        11 wscript.exe 2->11         started        signatures3 process4 signatures5 58 Creates autostart registry keys with suspicious values (likely registry only malware) 8->58 60 Contains functionality to detect hardware virtualization (CPUID execution measurement) 8->60 62 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 8->62 64 3 other signatures 8->64 13 SBG-1100319PurchaseOrder.exe 2 12 8->13         started        18 filename1.exe 1 11->18         started        process6 dnsIp7 40 micheal3m.hopto.org 79.134.225.124, 2048, 49722, 49725 FINK-TELECOM-SERVICESCH Switzerland 13->40 42 vug8la.am.files.1drv.com 13->42 44 3 other IPs or domains 13->44 24 C:\Users\user\AppData\Local\...\filename1.exe, PE32 13->24 dropped 26 C:\Users\user\AppData\Roaming\...\logs.dat, data 13->26 dropped 28 C:\Users\user\AppData\Local\...\filename1.vbs, ASCII 13->28 dropped 66 Hides threads from debuggers 13->66 68 Installs a global keyboard hook 13->68 70 Contains functionality to detect hardware virtualization (CPUID execution measurement) 18->70 72 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 18->72 74 Tries to detect Any.run 18->74 76 2 other signatures 18->76 20 filename1.exe 7 18->20         started        file8 signatures9 process10 dnsIp11 34 vug8la.am.files.1drv.com 20->34 36 onedrive.live.com 20->36 38 dm-files.fe.1drv.com 20->38 54 Tries to detect Any.run 20->54 56 Hides threads from debuggers 20->56 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
79.134.225.124
 sheilabeltagy4m.hopto.org Switzerland
6775 FINK-TELECOM-SERVICESCH false

Contacted Domains

Name IP Active
sheilabeltagy4m.hopto.org 79.134.225.124 true
micheal3m.hopto.org 79.134.225.124 true
onedrive.live.com unknown unknown
vug8la.am.files.1drv.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://onedrive.live.com/download?cid=1685231EC8E4EC43&resid=1685231EC8E4EC43%2 false
    		high