Source: NP__000009116_11-05-2021_08_40_37.exe |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1RnNEBf_Y19f_pduK4zvHqPJHGwMdQKtO"} |
Source: NP__000009116_11-05-2021_08_40_37.exe |
Virustotal: Detection: 25% |
Perma Link |
Source: NP__000009116_11-05-2021_08_40_37.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://drive.google.com/uc?export=download&id=1RnNEBf_Y19f_pduK4zvHqPJHGwMdQKtO |
Source: NP__000009116_11-05-2021_08_40_37.exe, 00000001.00000002.762821302.00000000006FA000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
Code function: 1_2_029F1B8C NtAllocateVirtualMemory, |
1_2_029F1B8C |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
Code function: 1_2_029F33B5 NtProtectVirtualMemory, |
1_2_029F33B5 |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
Code function: 1_2_029F375D NtProtectVirtualMemory, |
1_2_029F375D |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
Code function: 1_2_0040157B |
1_2_0040157B |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
Code function: 1_2_0040176A |
1_2_0040176A |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
Code function: 1_2_004017B7 |
1_2_004017B7 |
Source: NP__000009116_11-05-2021_08_40_37.exe, 00000001.00000000.237164633.0000000000414000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenamerammier.exe vs NP__000009116_11-05-2021_08_40_37.exe |
Source: NP__000009116_11-05-2021_08_40_37.exe, 00000001.00000002.763380076.0000000002110000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs NP__000009116_11-05-2021_08_40_37.exe |
Source: NP__000009116_11-05-2021_08_40_37.exe, 00000001.00000002.767126185.0000000002A10000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenamerammier.exeFE2X vs NP__000009116_11-05-2021_08_40_37.exe |
Source: NP__000009116_11-05-2021_08_40_37.exe |
Binary or memory string: OriginalFilenamerammier.exe vs NP__000009116_11-05-2021_08_40_37.exe |
Source: NP__000009116_11-05-2021_08_40_37.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal84.troj.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
File created: C:\Users\user\AppData\Local\Temp\~DFAFF35D8849DF2CC2.TMP |
Jump to behavior |
Source: NP__000009116_11-05-2021_08_40_37.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: NP__000009116_11-05-2021_08_40_37.exe |
Virustotal: Detection: 25% |
Source: Yara match |
File source: 00000001.00000002.767064760.00000000029F0000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
Code function: 1_2_00405570 push ecx; ret |
1_2_00405580 |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
Code function: 1_2_004067EB push esi; iretd |
1_2_004067ED |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
Code function: 1_2_029F1EC9 |
1_2_029F1EC9 |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
Code function: 1_2_029F1E0F |
1_2_029F1E0F |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
Code function: 1_2_029F2DBA |
1_2_029F2DBA |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
RDTSC instruction interceptor: First address: 00000000029F18AB second address: 00000000029F18AB instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, 00001000h 0x0000000f test edx, ebx 0x00000011 div ecx 0x00000013 cmp edx, 00000000h 0x00000016 jne 00007F37C500D3A2h 0x00000018 dec ebx 0x00000019 xor edx, edx 0x0000001b cmp bl, al 0x0000001d mov eax, ebx 0x0000001f pushad 0x00000020 rdtsc |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
RDTSC instruction interceptor: First address: 00000000029F2C6B second address: 00000000029F2C6B instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a shl eax, 05h 0x0000000d add eax, ebx 0x0000000f movzx ecx, byte ptr [esi] 0x00000012 cmp edx, eax 0x00000014 add eax, ecx 0x00000016 xor eax, A06C3E3Fh 0x0000001b cmp edx, F2FD7140h 0x00000021 inc esi 0x00000022 cmp byte ptr [esi], 00000000h 0x00000025 jne 00007F37C443C430h 0x00000027 cmp byte ptr [esi], FFFFFFA4h 0x0000002a jnc 00007F37C443C49Fh 0x0000002c test bx, ax 0x0000002f mov ebx, eax 0x00000031 pushad 0x00000032 rdtsc |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
RDTSC instruction interceptor: First address: 00000000029F2BAA second address: 00000000029F2BAA instructions: |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
RDTSC instruction interceptor: First address: 00000000029F2AB4 second address: 00000000029F2AB4 instructions: |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
RDTSC instruction interceptor: First address: 00000000029F1D14 second address: 00000000029F1D14 instructions: |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
RDTSC instruction interceptor: First address: 00000000029F2DBE second address: 00000000029F2DBE instructions: |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
RDTSC instruction interceptor: First address: 00000000029F2E84 second address: 00000000029F2E84 instructions: |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
RDTSC instruction interceptor: First address: 00000000029F18AB second address: 00000000029F18AB instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, 00001000h 0x0000000f test edx, ebx 0x00000011 div ecx 0x00000013 cmp edx, 00000000h 0x00000016 jne 00007F37C500D3A2h 0x00000018 dec ebx 0x00000019 xor edx, edx 0x0000001b cmp bl, al 0x0000001d mov eax, ebx 0x0000001f pushad 0x00000020 rdtsc |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
RDTSC instruction interceptor: First address: 00000000029F2C6B second address: 00000000029F2C6B instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a shl eax, 05h 0x0000000d add eax, ebx 0x0000000f movzx ecx, byte ptr [esi] 0x00000012 cmp edx, eax 0x00000014 add eax, ecx 0x00000016 xor eax, A06C3E3Fh 0x0000001b cmp edx, F2FD7140h 0x00000021 inc esi 0x00000022 cmp byte ptr [esi], 00000000h 0x00000025 jne 00007F37C443C430h 0x00000027 cmp byte ptr [esi], FFFFFFA4h 0x0000002a jnc 00007F37C443C49Fh 0x0000002c test bx, ax 0x0000002f mov ebx, eax 0x00000031 pushad 0x00000032 rdtsc |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
RDTSC instruction interceptor: First address: 00000000029F2BAA second address: 00000000029F2BAA instructions: |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
RDTSC instruction interceptor: First address: 00000000029F2AB4 second address: 00000000029F2AB4 instructions: |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
RDTSC instruction interceptor: First address: 00000000029F1D14 second address: 00000000029F1D14 instructions: |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
RDTSC instruction interceptor: First address: 00000000029F2DBE second address: 00000000029F2DBE instructions: |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
RDTSC instruction interceptor: First address: 00000000029F2E84 second address: 00000000029F2E84 instructions: |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
Code function: 1_2_029F2C97 rdtsc |
1_2_029F2C97 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
Code function: 1_2_029F2C97 rdtsc |
1_2_029F2C97 |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
Code function: 1_2_029F1885 mov eax, dword ptr fs:[00000030h] |
1_2_029F1885 |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
Code function: 1_2_029F2AD8 mov eax, dword ptr fs:[00000030h] |
1_2_029F2AD8 |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
Code function: 1_2_029F0CE5 mov eax, dword ptr fs:[00000030h] |
1_2_029F0CE5 |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
Code function: 1_2_029F3118 mov eax, dword ptr fs:[00000030h] |
1_2_029F3118 |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
Code function: 1_2_029F1127 mov eax, dword ptr fs:[00000030h] |
1_2_029F1127 |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
Code function: 1_2_029F2D21 mov eax, dword ptr fs:[00000030h] |
1_2_029F2D21 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: NP__000009116_11-05-2021_08_40_37.exe, 00000001.00000002.763076829.0000000000C80000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: NP__000009116_11-05-2021_08_40_37.exe, 00000001.00000002.763076829.0000000000C80000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: NP__000009116_11-05-2021_08_40_37.exe, 00000001.00000002.763076829.0000000000C80000.00000002.00000001.sdmp |
Binary or memory string: SProgram Managerl |
Source: NP__000009116_11-05-2021_08_40_37.exe, 00000001.00000002.763076829.0000000000C80000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd, |
Source: NP__000009116_11-05-2021_08_40_37.exe, 00000001.00000002.763076829.0000000000C80000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe |
Code function: 1_2_029F2C97 cpuid |
1_2_029F2C97 |