Source: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=13mbmc5DER0_wKkBDGQL230MFPs1cTVbi", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]} |
Source: KOPEKER.exe |
Virustotal: Detection: 62% |
Perma Link |
Source: KOPEKER.exe |
Metadefender: Detection: 32% |
Perma Link |
Source: KOPEKER.exe |
ReversingLabs: Detection: 82% |
Source: KOPEKER.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://drive.google.com/uc?export=download&id=13mbmc5DER0_wKkBDGQL230MFPs1cTVbi |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_004096F2 |
0_2_004096F2 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00409839 |
0_2_00409839 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_004098C2 |
0_2_004098C2 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_0040A0E6 |
0_2_0040A0E6 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_0040A09B |
0_2_0040A09B |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_0040994E |
0_2_0040994E |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_0040A17E |
0_2_0040A17E |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_004099E3 |
0_2_004099E3 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00409A78 |
0_2_00409A78 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_0040A29C |
0_2_0040A29C |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00409B1B |
0_2_00409B1B |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_0040A335 |
0_2_0040A335 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_0040E33C |
0_2_0040E33C |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_0040A3C6 |
0_2_0040A3C6 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00409BAA |
0_2_00409BAA |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_0040A45A |
0_2_0040A45A |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00409C39 |
0_2_00409C39 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_0040A4E5 |
0_2_0040A4E5 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00409D71 |
0_2_00409D71 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00409E98 |
0_2_00409E98 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_0040A749 |
0_2_0040A749 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00409F28 |
0_2_00409F28 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_004097AA |
0_2_004097AA |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00409FB6 |
0_2_00409FB6 |
Source: KOPEKER.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: KOPEKER.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: KOPEKER.exe, 00000000.00000002.986561193.0000000002200000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs KOPEKER.exe |
Source: KOPEKER.exe, 00000000.00000002.1003029734.00000000050D0000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs KOPEKER.exe |
Source: KOPEKER.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal100.troj.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
File created: C:\Users\user\AppData\Local\Temp\~DF0ADD49C825BCA8F7.TMP |
Jump to behavior |
Source: KOPEKER.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: KOPEKER.exe |
Virustotal: Detection: 62% |
Source: KOPEKER.exe |
Metadefender: Detection: 32% |
Source: KOPEKER.exe |
ReversingLabs: Detection: 82% |
Source: Yara match |
File source: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: KOPEKER.exe PID: 5760, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: KOPEKER.exe PID: 5760, type: MEMORY |
Source: KOPEKER.exe |
Static PE information: real checksum: 0x27f9e should be: 0x1d52b |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00408053 push 8EA106DEh; ret |
0_2_00408058 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00405019 push FFFFFFF4h; retf |
0_2_0040504C |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_0040C903 pushad ; ret |
0_2_0040C938 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_0040C24B push 7600FFCEh; iretd |
0_2_0040C250 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_0040445A push 0D010762h; retf |
0_2_00404464 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00402F28 push 713A1CACh; retf |
0_2_00402F98 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00403789 push BB150FDEh; retf |
0_2_0040379C |
Source: initial sample |
Icon embedded in binary file: icon matches a legit application icon: download (71).png |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00621226 |
0_2_00621226 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00627309 |
0_2_00627309 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_0062266B |
0_2_0062266B |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_006226AB |
0_2_006226AB |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00622733 |
0_2_00622733 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_006227EB |
0_2_006227EB |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_006227BE |
0_2_006227BE |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00622787 |
0_2_00622787 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00626843 |
0_2_00626843 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_0062282E |
0_2_0062282E |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00626806 |
0_2_00626806 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00626804 |
0_2_00626804 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_006248E3 |
0_2_006248E3 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_006248C3 |
0_2_006248C3 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_006268CF |
0_2_006268CF |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_006248A7 |
0_2_006248A7 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_006228B7 |
0_2_006228B7 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_0062488B |
0_2_0062488B |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00626892 |
0_2_00626892 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00626966 |
0_2_00626966 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00626907 |
0_2_00626907 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_0062290E |
0_2_0062290E |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_0062690E |
0_2_0062690E |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_006249E7 |
0_2_006249E7 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_006249C7 |
0_2_006249C7 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00624992 |
0_2_00624992 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_0062699F |
0_2_0062699F |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00624A2B |
0_2_00624A2B |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00624A0B |
0_2_00624A0B |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00621C82 |
0_2_00621C82 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00625D75 |
0_2_00625D75 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00625DAE |
0_2_00625DAE |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00625D8B |
0_2_00625D8B |
Source: C:\Users\user\Desktop\KOPEKER.exe |
RDTSC instruction interceptor: First address: 000000000062607D second address: 000000000062607D instructions: |
Source: KOPEKER.exe |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: C:\Users\user\Desktop\KOPEKER.exe |
RDTSC instruction interceptor: First address: 000000000040991D second address: 000000000040991D instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, 00000085h 0x00000008 cmp ebx, 00000000h 0x0000000b cmp ebx, 0000009Ch 0x00000011 cmp eax, 10h 0x00000014 cmp ebx, 27h 0x00000017 cmp ebx, 24h 0x0000001a cmp ebx, 00000092h 0x00000020 fsubr st(5), st(0) 0x00000022 fldz 0x00000024 packuswb mm6, mm5 0x00000027 fldz 0x00000029 fxch st(0), st(1) 0x0000002b faddp st(1), st(0) 0x0000002d fpatan 0x0000002f jmp 00007F44BC95AAFEh 0x00000031 cmp ebx, 63h 0x00000034 cmp ebx, 000000C6h 0x0000003a cmp eax, 000000A7h 0x0000003f cmp edi, 02EAFF40h 0x00000045 movd mm1, ebx 0x00000048 movd mm1, ebx 0x0000004b movd mm1, ebx 0x0000004e movd mm1, ebx 0x00000051 fst st(4) 0x00000053 pslld mm5, 15h 0x00000057 fabs 0x00000059 psrlw mm4, A7h 0x0000005d fnclex 0x0000005f punpckhwd xmm4, xmm1 0x00000063 psubusb mm5, mm1 0x00000066 jmp 00007F44BC95AAF9h 0x00000068 jne 00007F44BC95A8F8h 0x0000006e inc edi 0x0000006f cmp ebx, 000000C2h 0x00000075 cmp eax, 00000099h 0x0000007a cmp ebx, 5Dh 0x0000007d cmp eax, 00000096h 0x00000082 cmp eax, 68h 0x00000085 cmp eax, 40h 0x00000088 psraw xmm7, xmm3 0x0000008c paddb xmm4, xmm5 0x00000090 ffree st(3) 0x00000092 psraw mm4, mm6 0x00000095 fninit 0x00000097 punpcklbw mm6, mm1 0x0000009a psubw xmm0, xmm1 0x0000009e jmp 00007F44BC95AAFDh 0x000000a0 rdtsc |
Source: C:\Users\user\Desktop\KOPEKER.exe |
RDTSC instruction interceptor: First address: 0000000000626071 second address: 000000000062607D instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b pushad 0x0000000c rdtsc |
Source: C:\Users\user\Desktop\KOPEKER.exe |
RDTSC instruction interceptor: First address: 000000000062607D second address: 000000000062607D instructions: |
Source: C:\Users\user\Desktop\KOPEKER.exe |
RDTSC instruction interceptor: First address: 00000000006258C4 second address: 00000000006259C6 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, dword ptr [ebp+04h] 0x0000000e jmp 00007F44BC95CB9Ah 0x00000010 cmp cl, dl 0x00000012 add eax, ebx 0x00000014 mov ecx, dword ptr [eax+18h] 0x00000017 jmp 00007F44BC95CB9Ah 0x00000019 cmp eax, 92C74976h 0x0000001e mov dword ptr [ebp+08h], ecx 0x00000021 mov ecx, dword ptr [eax+1Ch] 0x00000024 jmp 00007F44BC95CB9Ah 0x00000026 pushad 0x00000027 mov di, 847Ch 0x0000002b cmp di, 847Ch 0x00000030 jne 00007F44BC95C80Ch 0x00000036 popad 0x00000037 mov dword ptr [ebp+14h], ecx 0x0000003a mov ecx, dword ptr [eax+24h] 0x0000003d mov dword ptr [ebp+10h], ecx 0x00000040 jmp 00007F44BC95CB9Ah 0x00000042 cmp ecx, ecx 0x00000044 mov esi, dword ptr [eax+20h] 0x00000047 jmp 00007F44BC95CB9Ah 0x00000049 cmp ah, ch 0x0000004b add esi, dword ptr [ebp+04h] 0x0000004e xor ecx, ecx 0x00000050 jmp 00007F44BC95CB9Ah 0x00000052 cmp eax, edx 0x00000054 jmp 00007F44BC95CB9Ah 0x00000056 pushad 0x00000057 lfence 0x0000005a rdtsc |
Source: C:\Users\user\Desktop\KOPEKER.exe |
RDTSC instruction interceptor: First address: 00000000006257CD second address: 00000000006258C4 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b call 00007F44BC95AB2Bh 0x00000010 jmp 00007F44BC95AABAh 0x00000012 cmp ah, ch 0x00000014 mov dword ptr [ebp+04h], eax 0x00000017 jmp 00007F44BC95AABAh 0x00000019 cmp eax, edx 0x0000001b mov ebx, dword ptr [eax+3Ch] 0x0000001e add eax, ebx 0x00000020 mov ebx, dword ptr [eax+78h] 0x00000023 jmp 00007F44BC95AABAh 0x00000025 pushad 0x00000026 lfence 0x00000029 rdtsc |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_004096F2 rdtsc |
0_2_004096F2 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Window / User API: threadDelayed 1256 |
Jump to behavior |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Window / User API: threadDelayed 8744 |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: KOPEKER.exe |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_004096F2 rdtsc |
0_2_004096F2 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_006231CC mov eax, dword ptr fs:[00000030h] |
0_2_006231CC |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_006222F6 mov eax, dword ptr fs:[00000030h] |
0_2_006222F6 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_006222C7 mov eax, dword ptr fs:[00000030h] |
0_2_006222C7 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00622286 mov eax, dword ptr fs:[00000030h] |
0_2_00622286 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00622295 mov eax, dword ptr fs:[00000030h] |
0_2_00622295 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00625480 mov eax, dword ptr fs:[00000030h] |
0_2_00625480 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00626843 mov eax, dword ptr fs:[00000030h] |
0_2_00626843 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00626806 mov eax, dword ptr fs:[00000030h] |
0_2_00626806 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00626804 mov eax, dword ptr fs:[00000030h] |
0_2_00626804 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00621C82 mov eax, dword ptr fs:[00000030h] |
0_2_00621C82 |
Source: C:\Users\user\Desktop\KOPEKER.exe |
Code function: 0_2_00625F2A mov eax, dword ptr fs:[00000030h] |
0_2_00625F2A |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: KOPEKER.exe, 00000000.00000002.986154636.0000000000D70000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: KOPEKER.exe, 00000000.00000002.986154636.0000000000D70000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: KOPEKER.exe, 00000000.00000002.986154636.0000000000D70000.00000002.00000001.sdmp |
Binary or memory string: &Program Manager |
Source: KOPEKER.exe, 00000000.00000002.986154636.0000000000D70000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |