{"Payload URL": "https://drive.google.com/uc?export=download&id=1UJvRluFmYD39H3TjOMIaVwZTdLhauoPu", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}
Source: 00000000.00000002.852343064.0000000002300000.00000040.00000001.sdmp | Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1UJvRluFmYD39H3TjOMIaVwZTdLhauoPu", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]} |
Source: transferencia.exe | Virustotal: Detection: 46% | Perma Link |
Source: transferencia.exe | ReversingLabs: Detection: 34% |
Source: transferencia.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor | URLs: https://drive.google.com/uc?export=download&id=1UJvRluFmYD39H3TjOMIaVwZTdLhauoPu |
Source: C:\Users\user\Desktop\transferencia.exe | Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_023051D1 NtProtectVirtualMemory, |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00403D8D |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00404A43 |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00404646 |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00404847 |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00404233 |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_0040443C |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_004046C1 |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_004044C5 |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_004048D1 |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_004040BF |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_0040474A |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_0040454B |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00404139 |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_0040433B |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_004049C9 |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_004045CD |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_004047D0 |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_004041B5 |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_004043B6 |
Source: transferencia.exe, 00000000.00000000.329335806.0000000000413000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameWoodburyt.exe vs transferencia.exe |
Source: transferencia.exe | Binary or memory string: OriginalFilenameWoodburyt.exe vs transferencia.exe |
Source: transferencia.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine | Classification label: mal84.troj.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\transferencia.exe | File created: C:\Users\user\AppData\Local\Temp\~DF5CA7D5DF6D4DEBEB.TMP | Jump to behavior |
Source: transferencia.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\transferencia.exe | Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Source: C:\Users\user\Desktop\transferencia.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: transferencia.exe | Virustotal: Detection: 46% |
Source: transferencia.exe | ReversingLabs: Detection: 34% |
Source: Yara match | File source: 00000000.00000002.852343064.0000000002300000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: transferencia.exe PID: 6424, type: MEMORY |
Source: Yara match | File source: Process Memory Space: transferencia.exe PID: 6424, type: MEMORY |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_0040EE14 push dword ptr [ebp-08h]; ret |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00409A3C push esi; iretd |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00409CD7 push ecx; iretd |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00403CEE push ebp; ret |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00409C9C push ecx; iretd |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00403D42 push ebp; ret |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00403D45 push ebp; ret |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00403D48 push ebp; ret |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00403D4B push ebp; ret |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00403D4E push ebp; ret |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00403D51 push ebp; ret |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00403D54 push ebp; ret |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00403D57 push ebp; ret |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00403D5A push ebp; ret |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00403D5D push ebp; ret |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00403D60 push ebp; ret |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00403D63 push ebp; ret |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00403D66 push ebp; ret |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00403D69 push ebp; ret |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00403D6C push ebp; ret |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00403D6F push ebp; ret |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00403D72 push ebp; ret |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00403D75 push ebp; ret |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00403D78 push ebp; ret |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00403D7B push ebp; ret |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00403D7E push ebp; ret |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_0040590E push eax; ret |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00403D39 push ebp; ret |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00403D3C push ebp; ret |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00403D3F push ebp; ret |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00408BE3 push ecx; iretd |
Source: C:\Users\user\Desktop\transferencia.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\transferencia.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\transferencia.exe | Process information set: NOOPENFILEERRORBOX |
Source: transferencia.exe, 00000000.00000002.852343064.0000000002300000.00000040.00000001.sdmp | Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: C:\Users\user\Desktop\transferencia.exe | RDTSC instruction interceptor: First address: 00000000023025D2 second address: 00000000023025D2 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FED9C71556Bh 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 dec ecx 0x00000021 cmp ecx, 00000000h 0x00000024 jne 00007FED9C715551h 0x00000026 cmp dl, bl 0x00000028 push ecx 0x00000029 call 00007FED9C71561Fh 0x0000002e call 00007FED9C71557Bh 0x00000033 lfence 0x00000036 mov edx, dword ptr [7FFE0014h] 0x0000003c lfence 0x0000003f ret 0x00000040 mov esi, edx 0x00000042 pushad 0x00000043 rdtsc |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_02301057 rdtsc |
Source: C:\Users\user\Desktop\transferencia.exe | API coverage: 8.9 % |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: transferencia.exe, 00000000.00000002.852343064.0000000002300000.00000040.00000001.sdmp | Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\Desktop\transferencia.exe | Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_02301057 rdtsc |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00403D8D mov ebx, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00404233 mov ebx, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_004040BF mov ebx, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_00404139 mov ebx, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_004041B5 mov ebx, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_02301808 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_02301609 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_02304474 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_02304078 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_0230245C mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_0230115F mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_023049B4 mov eax, dword ptr fs:[00000030h] |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: transferencia.exe, 00000000.00000002.851970814.0000000000C70000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: transferencia.exe, 00000000.00000002.851970814.0000000000C70000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: transferencia.exe, 00000000.00000002.851970814.0000000000C70000.00000002.00000001.sdmp | Binary or memory string: &Program Manager |
Source: transferencia.exe, 00000000.00000002.851970814.0000000000C70000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Source: C:\Users\user\Desktop\transferencia.exe | Code function: 0_2_0230435E cpuid |
Source: C:\Users\user\Desktop\transferencia.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\Desktop\transferencia.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\Desktop\transferencia.exe | Queries volume information: C:\ VolumeInformation |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.