Source: 00000001.00000002.1276915802.0000000000510000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1O7Zrj0oTVUPxo7h5leOqWms2QfQkCgBK", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]} |
Source: faktura_fk.exe |
Virustotal: Detection: 17% |
Perma Link |
Source: faktura_fk.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://drive.google.com/uc?export=download&id=1O7Zrj0oTVUPxo7h5leOqWms2QfQkCgBK |
Source: initial sample |
Icon embedded in PE file: bad icon match: 20047c7c70f0e004 |
Source: C:\Users\user\Desktop\faktura_fk.exe |
Process Stats: CPU usage > 98% |
Source: faktura_fk.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: faktura_fk.exe, 00000001.00000002.1277430799.00000000020C0000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs faktura_fk.exe |
Source: faktura_fk.exe, 00000001.00000000.194842792.0000000000433000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameKnudepunkternes2.exe vs faktura_fk.exe |
Source: faktura_fk.exe, 00000001.00000002.1277776072.00000000021F0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameKnudepunkternes2.exeFE2XeSafe SolutionseSafe Solutions vs faktura_fk.exe |
Source: faktura_fk.exe, 00000001.00000002.1277776072.00000000021F0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameKnudepunkternes2.exeFE2XeSafe Solutions vs faktura_fk.exe |
Source: faktura_fk.exe, 00000001.00000002.1277776072.00000000021F0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameKnudepunkternes2.exeFE2X vs faktura_fk.exe |
Source: faktura_fk.exe, 00000001.00000002.1277776072.00000000021F0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameKnudepunkternes2.exeFE2XeSafe Solutionsi~C vs faktura_fk.exe |
Source: faktura_fk.exe, 00000001.00000002.1277776072.00000000021F0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameKnudepunkternes2.exeFE2XeSafe Solutionsf`L vs faktura_fk.exe |
Source: faktura_fk.exe |
Binary or memory string: OriginalFilenameKnudepunkternes2.exe vs faktura_fk.exe |
Source: faktura_fk.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal96.rans.troj.evad.winEXE@1/0@0/0 |
Source: faktura_fk.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\faktura_fk.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\faktura_fk.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: faktura_fk.exe |
Virustotal: Detection: 17% |
Source: Yara match |
File source: 00000001.00000002.1276915802.0000000000510000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: faktura_fk.exe PID: 6352, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: faktura_fk.exe PID: 6352, type: MEMORY |
Source: C:\Users\user\Desktop\faktura_fk.exe |
Code function: 1_2_00407828 push ds; ret |
1_2_00407833 |
Source: C:\Users\user\Desktop\faktura_fk.exe |
Code function: 1_2_004063F3 push 85E0C3F5h; retf |
1_2_00406412 |
Source: C:\Users\user\Desktop\faktura_fk.exe |
Code function: 1_2_00407792 push es; ret |
1_2_0040779B |
Source: C:\Users\user\Desktop\faktura_fk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\faktura_fk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\faktura_fk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\faktura_fk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\faktura_fk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\faktura_fk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\faktura_fk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\faktura_fk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\faktura_fk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\faktura_fk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\faktura_fk.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\faktura_fk.exe |
RDTSC instruction interceptor: First address: 00000000005129E9 second address: 00000000005129E9 instructions: |
Source: C:\Users\user\Desktop\faktura_fk.exe |
RDTSC instruction interceptor: First address: 00000000005129AA second address: 00000000005129AA instructions: |
Source: C:\Users\user\Desktop\faktura_fk.exe |
RDTSC instruction interceptor: First address: 000000000051284C second address: 00000000005128CA instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, dword ptr [eax+1Ch] 0x0000000d test ah, ah 0x0000000f mov dword ptr [ebp+14h], ecx 0x00000012 fnop 0x00000014 mov ecx, dword ptr [eax+24h] 0x00000017 mov dword ptr [ebp+10h], ecx 0x0000001a mov esi, dword ptr [eax+20h] 0x0000001d add esi, dword ptr [ebp+04h] 0x00000020 xor ecx, ecx 0x00000022 test edx, edx 0x00000024 mov edx, dword ptr [esi] 0x00000026 test ebx, ebx 0x00000028 add edx, dword ptr [ebp+04h] 0x0000002b push ecx 0x0000002c test dh, ch 0x0000002e push esi 0x0000002f push edx 0x00000030 test bl, cl 0x00000032 call 00007FD3A88B113Bh 0x00000037 pushad 0x00000038 rdtsc |
Source: C:\Users\user\Desktop\faktura_fk.exe |
RDTSC instruction interceptor: First address: 00000000005128CA second address: 00000000005128CA instructions: |
Source: C:\Users\user\Desktop\faktura_fk.exe |
RDTSC instruction interceptor: First address: 0000000000512886 second address: 0000000000512886 instructions: |
Source: faktura_fk.exe, 00000001.00000002.1276915802.0000000000510000.00000040.00000001.sdmp |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE9 |
Source: faktura_fk.exe, 00000001.00000002.1276915802.0000000000510000.00000040.00000001.sdmp |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: C:\Users\user\Desktop\faktura_fk.exe |
RDTSC instruction interceptor: First address: 00000000005129E9 second address: 00000000005129E9 instructions: |
Source: C:\Users\user\Desktop\faktura_fk.exe |
RDTSC instruction interceptor: First address: 00000000005129AA second address: 00000000005129AA instructions: |
Source: C:\Users\user\Desktop\faktura_fk.exe |
RDTSC instruction interceptor: First address: 000000000051284C second address: 00000000005128CA instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, dword ptr [eax+1Ch] 0x0000000d test ah, ah 0x0000000f mov dword ptr [ebp+14h], ecx 0x00000012 fnop 0x00000014 mov ecx, dword ptr [eax+24h] 0x00000017 mov dword ptr [ebp+10h], ecx 0x0000001a mov esi, dword ptr [eax+20h] 0x0000001d add esi, dword ptr [ebp+04h] 0x00000020 xor ecx, ecx 0x00000022 test edx, edx 0x00000024 mov edx, dword ptr [esi] 0x00000026 test ebx, ebx 0x00000028 add edx, dword ptr [ebp+04h] 0x0000002b push ecx 0x0000002c test dh, ch 0x0000002e push esi 0x0000002f push edx 0x00000030 test bl, cl 0x00000032 call 00007FD3A88B113Bh 0x00000037 pushad 0x00000038 rdtsc |
Source: C:\Users\user\Desktop\faktura_fk.exe |
RDTSC instruction interceptor: First address: 00000000005128CA second address: 00000000005128CA instructions: |
Source: C:\Users\user\Desktop\faktura_fk.exe |
RDTSC instruction interceptor: First address: 0000000000512886 second address: 0000000000512886 instructions: |
Source: C:\Users\user\Desktop\faktura_fk.exe |
RDTSC instruction interceptor: First address: 000000000051187C second address: 000000000051187C instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FD3A8DDBAFAh 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp edx, ecx 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 dec ecx 0x00000023 cmp eax, eax 0x00000025 cmp ecx, 00000000h 0x00000028 jne 00007FD3A8DDBADCh 0x0000002a push ecx 0x0000002b test ah, FFFFFF84h 0x0000002e call 00007FD3A8DDBB11h 0x00000033 call 00007FD3A8DDBB0Ah 0x00000038 lfence 0x0000003b mov edx, dword ptr [7FFE0014h] 0x00000041 lfence 0x00000044 ret 0x00000045 mov esi, edx 0x00000047 pushad 0x00000048 rdtsc |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: faktura_fk.exe, 00000001.00000002.1276915802.0000000000510000.00000040.00000001.sdmp |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe9 |
Source: faktura_fk.exe, 00000001.00000002.1276915802.0000000000510000.00000040.00000001.sdmp |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\Desktop\faktura_fk.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: faktura_fk.exe, 00000001.00000002.1277213879.0000000000C60000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: faktura_fk.exe, 00000001.00000002.1277213879.0000000000C60000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: faktura_fk.exe, 00000001.00000002.1277213879.0000000000C60000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: faktura_fk.exe, 00000001.00000002.1277213879.0000000000C60000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |