Loading ...

Play interactive tourEdit tour

Analysis Report KOPEKER.exe

Overview

General Information

Sample Name:KOPEKER.exe
Analysis ID:392084
MD5:cd885321b35b73421cd63e3150d677f7
SHA1:2f09e0eb93927d82076f34549b0d4d3b7b393aab
SHA256:495edfb60c0a9af0c57251ce28ca0bcf4c911324f59074f99c2797e36c3f3ef4
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains an invalid checksum
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • KOPEKER.exe (PID: 5760 cmdline: 'C:\Users\user\Desktop\KOPEKER.exe' MD5: CD885321B35B73421CD63E3150D677F7)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=13mbmc5DER0_wKkBDGQL230MFPs1cTVbi", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    Process Memory Space: KOPEKER.exe PID: 5760JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
      Process Memory Space: KOPEKER.exe PID: 5760JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=13mbmc5DER0_wKkBDGQL230MFPs1cTVbi", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}
        Multi AV Scanner detection for submitted fileShow sources
        Source: KOPEKER.exeVirustotal: Detection: 62%Perma Link
        Source: KOPEKER.exeMetadefender: Detection: 32%Perma Link
        Source: KOPEKER.exeReversingLabs: Detection: 82%
        Machine Learning detection for sampleShow sources
        Source: KOPEKER.exeJoe Sandbox ML: detected
        Source: KOPEKER.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=13mbmc5DER0_wKkBDGQL230MFPs1cTVbi
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess Stats: CPU usage > 98%
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_004096F20_2_004096F2
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_004098390_2_00409839
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_004098C20_2_004098C2
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0040A0E60_2_0040A0E6
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0040A09B0_2_0040A09B
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0040994E0_2_0040994E
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0040A17E0_2_0040A17E
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_004099E30_2_004099E3
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00409A780_2_00409A78
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0040A29C0_2_0040A29C
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00409B1B0_2_00409B1B
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0040A3350_2_0040A335
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0040E33C0_2_0040E33C
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0040A3C60_2_0040A3C6
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00409BAA0_2_00409BAA
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0040A45A0_2_0040A45A
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00409C390_2_00409C39
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0040A4E50_2_0040A4E5
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00409D710_2_00409D71
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00409E980_2_00409E98
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0040A7490_2_0040A749
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00409F280_2_00409F28
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_004097AA0_2_004097AA
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00409FB60_2_00409FB6
        Source: KOPEKER.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: KOPEKER.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: KOPEKER.exe, 00000000.00000002.986561193.0000000002200000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs KOPEKER.exe
        Source: KOPEKER.exe, 00000000.00000002.1003029734.00000000050D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs KOPEKER.exe
        Source: KOPEKER.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/0
        Source: C:\Users\user\Desktop\KOPEKER.exeFile created: C:\Users\user\AppData\Local\Temp\~DF0ADD49C825BCA8F7.TMPJump to behavior
        Source: KOPEKER.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\KOPEKER.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: KOPEKER.exeVirustotal: Detection: 62%
        Source: KOPEKER.exeMetadefender: Detection: 32%
        Source: KOPEKER.exeReversingLabs: Detection: 82%

        Data Obfuscation:

        barindex
        Yara detected GuLoaderShow sources
        Source: Yara matchFile source: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: KOPEKER.exe PID: 5760, type: MEMORY
        Yara detected VB6 Downloader GenericShow sources
        Source: Yara matchFile source: Process Memory Space: KOPEKER.exe PID: 5760, type: MEMORY
        Source: KOPEKER.exeStatic PE information: real checksum: 0x27f9e should be: 0x1d52b
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00408053 push 8EA106DEh; ret 0_2_00408058
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00405019 push FFFFFFF4h; retf 0_2_0040504C
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0040C903 pushad ; ret 0_2_0040C938
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0040C24B push 7600FFCEh; iretd 0_2_0040C250
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0040445A push 0D010762h; retf 0_2_00404464
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00402F28 push 713A1CACh; retf 0_2_00402F98
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00403789 push BB150FDEh; retf 0_2_0040379C

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
        Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (71).png
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00621226 0_2_00621226
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00627309 0_2_00627309
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0062266B 0_2_0062266B
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_006226AB 0_2_006226AB
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00622733 0_2_00622733
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_006227EB 0_2_006227EB
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_006227BE 0_2_006227BE
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00622787 0_2_00622787
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00626843 0_2_00626843
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0062282E 0_2_0062282E
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00626806 0_2_00626806
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00626804 0_2_00626804
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_006248E3 0_2_006248E3
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_006248C3 0_2_006248C3
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_006268CF 0_2_006268CF
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_006248A7 0_2_006248A7
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_006228B7 0_2_006228B7
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0062488B 0_2_0062488B
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00626892 0_2_00626892
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00626966 0_2_00626966
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00626907 0_2_00626907
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0062290E 0_2_0062290E
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0062690E 0_2_0062690E
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_006249E7 0_2_006249E7
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_006249C7 0_2_006249C7
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00624992 0_2_00624992
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0062699F 0_2_0062699F
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00624A2B 0_2_00624A2B
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00624A0B 0_2_00624A0B
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00621C82 0_2_00621C82
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00625D75 0_2_00625D75
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00625DAE 0_2_00625DAE
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00625D8B 0_2_00625D8B
        Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
        Source: C:\Users\user\Desktop\KOPEKER.exeRDTSC instruction interceptor: First address: 000000000062607D second address: 000000000062607D instructions:
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: KOPEKER.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
        Tries to detect virtualization through RDTSC time measurementsShow sources
        Source: C:\Users\user\Desktop\KOPEKER.exeRDTSC instruction interceptor: First address: 000000000040991D second address: 000000000040991D instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, 00000085h 0x00000008 cmp ebx, 00000000h 0x0000000b cmp ebx, 0000009Ch 0x00000011 cmp eax, 10h 0x00000014 cmp ebx, 27h 0x00000017 cmp ebx, 24h 0x0000001a cmp ebx, 00000092h 0x00000020 fsubr st(5), st(0) 0x00000022 fldz 0x00000024 packuswb mm6, mm5 0x00000027 fldz 0x00000029 fxch st(0), st(1) 0x0000002b faddp st(1), st(0) 0x0000002d fpatan 0x0000002f jmp 00007F44BC95AAFEh 0x00000031 cmp ebx, 63h 0x00000034 cmp ebx, 000000C6h 0x0000003a cmp eax, 000000A7h 0x0000003f cmp edi, 02EAFF40h 0x00000045 movd mm1, ebx 0x00000048 movd mm1, ebx 0x0000004b movd mm1, ebx 0x0000004e movd mm1, ebx 0x00000051 fst st(4) 0x00000053 pslld mm5, 15h 0x00000057 fabs 0x00000059 psrlw mm4, A7h 0x0000005d fnclex 0x0000005f punpckhwd xmm4, xmm1 0x00000063 psubusb mm5, mm1 0x00000066 jmp 00007F44BC95AAF9h 0x00000068 jne 00007F44BC95A8F8h 0x0000006e inc edi 0x0000006f cmp ebx, 000000C2h 0x00000075 cmp eax, 00000099h 0x0000007a cmp ebx, 5Dh 0x0000007d cmp eax, 00000096h 0x00000082 cmp eax, 68h 0x00000085 cmp eax, 40h 0x00000088 psraw xmm7, xmm3 0x0000008c paddb xmm4, xmm5 0x00000090 ffree st(3) 0x00000092 psraw mm4, mm6 0x00000095 fninit 0x00000097 punpcklbw mm6, mm1 0x0000009a psubw xmm0, xmm1 0x0000009e jmp 00007F44BC95AAFDh 0x000000a0 rdtsc
        Source: C:\Users\user\Desktop\KOPEKER.exeRDTSC instruction interceptor: First address: 0000000000626071 second address: 000000000062607D instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b pushad 0x0000000c rdtsc
        Source: C:\Users\user\Desktop\KOPEKER.exeRDTSC instruction interceptor: First address: 000000000062607D second address: 000000000062607D instructions:
        Source: C:\Users\user\Desktop\KOPEKER.exeRDTSC instruction interceptor: First address: 00000000006258C4 second address: 00000000006259C6 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, dword ptr [ebp+04h] 0x0000000e jmp 00007F44BC95CB9Ah 0x00000010 cmp cl, dl 0x00000012 add eax, ebx 0x00000014 mov ecx, dword ptr [eax+18h] 0x00000017 jmp 00007F44BC95CB9Ah 0x00000019 cmp eax, 92C74976h 0x0000001e mov dword ptr [ebp+08h], ecx 0x00000021 mov ecx, dword ptr [eax+1Ch] 0x00000024 jmp 00007F44BC95CB9Ah 0x00000026 pushad 0x00000027 mov di, 847Ch 0x0000002b cmp di, 847Ch 0x00000030 jne 00007F44BC95C80Ch 0x00000036 popad 0x00000037 mov dword ptr [ebp+14h], ecx 0x0000003a mov ecx, dword ptr [eax+24h] 0x0000003d mov dword ptr [ebp+10h], ecx 0x00000040 jmp 00007F44BC95CB9Ah 0x00000042 cmp ecx, ecx 0x00000044 mov esi, dword ptr [eax+20h] 0x00000047 jmp 00007F44BC95CB9Ah 0x00000049 cmp ah, ch 0x0000004b add esi, dword ptr [ebp+04h] 0x0000004e xor ecx, ecx 0x00000050 jmp 00007F44BC95CB9Ah 0x00000052 cmp eax, edx 0x00000054 jmp 00007F44BC95CB9Ah 0x00000056 pushad 0x00000057 lfence 0x0000005a rdtsc
        Source: C:\Users\user\Desktop\KOPEKER.exeRDTSC instruction interceptor: First address: 00000000006257CD second address: 00000000006258C4 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b call 00007F44BC95AB2Bh 0x00000010 jmp 00007F44BC95AABAh 0x00000012 cmp ah, ch 0x00000014 mov dword ptr [ebp+04h], eax 0x00000017 jmp 00007F44BC95AABAh 0x00000019 cmp eax, edx 0x0000001b mov ebx, dword ptr [eax+3Ch] 0x0000001e add eax, ebx 0x00000020 mov ebx, dword ptr [eax+78h] 0x00000023 jmp 00007F44BC95AABAh 0x00000025 pushad 0x00000026 lfence 0x00000029 rdtsc
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_004096F2 rdtsc 0_2_004096F2
        Source: C:\Users\user\Desktop\KOPEKER.exeWindow / User API: threadDelayed 1256Jump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeWindow / User API: threadDelayed 8744Jump to behavior
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
        Source: KOPEKER.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

        Anti Debugging:

        barindex
        Found potential dummy code loops (likely to delay analysis)Show sources
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess Stats: CPU usage > 90% for more than 60s
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_004096F2 rdtsc 0_2_004096F2
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_006231CC mov eax, dword ptr fs:[00000030h]0_2_006231CC
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_006222F6 mov eax, dword ptr fs:[00000030h]0_2_006222F6
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_006222C7 mov eax, dword ptr fs:[00000030h]0_2_006222C7
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00622286 mov eax, dword ptr fs:[00000030h]0_2_00622286
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00622295 mov eax, dword ptr fs:[00000030h]0_2_00622295
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00625480 mov eax, dword ptr fs:[00000030h]0_2_00625480
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00626843 mov eax, dword ptr fs:[00000030h]0_2_00626843
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00626806 mov eax, dword ptr fs:[00000030h]0_2_00626806
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00626804 mov eax, dword ptr fs:[00000030h]0_2_00626804
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00621C82 mov eax, dword ptr fs:[00000030h]0_2_00621C82
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00625F2A mov eax, dword ptr fs:[00000030h]0_2_00625F2A
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
        Source: KOPEKER.exe, 00000000.00000002.986154636.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: KOPEKER.exe, 00000000.00000002.986154636.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: KOPEKER.exe, 00000000.00000002.986154636.0000000000D70000.00000002.00000001.sdmpBinary or memory string: &Program Manager
        Source: KOPEKER.exe, 00000000.00000002.986154636.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Progmanlock

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Masquerading1OS Credential DumpingSecurity Software Discovery511Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion11LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsSystem Information Discovery31SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

        Behavior Graph

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.