Loading ...

Play interactive tourEdit tour

Analysis Report udmugning.exe

Overview

General Information

Sample Name:udmugning.exe
Analysis ID:395203
MD5:3d04ed12388c92e15361681ef1921d7f
SHA1:8820ff07e1f60121a057b0303dc7746ea4960617
SHA256:99227f9bb099737a3f356f266c5b8d5e1f4313715f37a4b7b0b6c1ae65c00925
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains an invalid checksum
PE file contains strange resources
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • udmugning.exe (PID: 3440 cmdline: 'C:\Users\user\Desktop\udmugning.exe' MD5: 3D04ED12388C92E15361681EF1921D7F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
udmugning.exeJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
      00000001.00000000.206225191.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.0.udmugning.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
          1.2.udmugning.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: udmugning.exeMetadefender: Detection: 35%Perma Link
            Source: udmugning.exeReversingLabs: Detection: 79%
            Machine Learning detection for sampleShow sources
            Source: udmugning.exeJoe Sandbox ML: detected
            Source: udmugning.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_0040994D1_2_0040994D
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_004011CA1_2_004011CA
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_004099E11_2_004099E1
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_00409A6E1_2_00409A6E
            Source: udmugning.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: udmugning.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: udmugning.exe, 00000001.00000002.474813749.0000000002300000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs udmugning.exe
            Source: udmugning.exe, 00000001.00000002.485300567.0000000005090000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs udmugning.exe
            Source: udmugning.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: classification engineClassification label: mal72.troj.evad.winEXE@1/0@0/0
            Source: C:\Users\user\Desktop\udmugning.exeFile created: C:\Users\user\AppData\Local\Temp\~DF5440564B0D50F574.TMPJump to behavior
            Source: udmugning.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\udmugning.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: udmugning.exeMetadefender: Detection: 35%
            Source: udmugning.exeReversingLabs: Detection: 79%

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: udmugning.exe, type: SAMPLE
            Source: Yara matchFile source: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000000.206225191.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 1.0.udmugning.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.udmugning.exe.400000.0.unpack, type: UNPACKEDPE
            Source: udmugning.exeStatic PE information: real checksum: 0x1fc2a should be: 0x22a75
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_0040414F push ebp; iretd 1_2_004041A3
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_0040C126 push 7600FFCEh; iretd 1_2_0040C12B
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_00409138 push eax; iretd 1_2_00409139
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_004011CA push 02A3CF73h; iretd 1_2_0040141C
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_004039D5 push esp; iretd 1_2_004039DB
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_0040877A push ebx; ret 1_2_00408782
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_0040C7DE pushad ; ret 1_2_0040C813
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_004067F8 push es; iretd 1_2_00406802

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
            Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (71).png
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeWindow / User API: threadDelayed 4610Jump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeWindow / User API: threadDelayed 5389Jump to behavior
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\udmugning.exeLast function: Thread delayed

            Anti Debugging:

            barindex
            Found potential dummy code loops (likely to delay analysis)Show sources
            Source: C:\Users\user\Desktop\udmugning.exeProcess Stats: CPU usage > 90% for more than 60s
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: udmugning.exe, 00000001.00000002.474603838.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: udmugning.exe, 00000001.00000002.474603838.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: udmugning.exe, 00000001.00000002.474603838.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: udmugning.exe, 00000001.00000002.474603838.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion11LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsSystem Information Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.