Analysis Report PC21-270421.exe

ID:	430961
Product:	CloudBasic
Start time:	09:38:59
Start date:	08.06.2021
Sample:	PC21-270421.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	140733109e3a3b3de2ae1aaf164178da
SHA1:	5f8685572c91386045a5f458b298ee8c6934277c
SHA256:	4bb04df120eb27c3f5b3a46a54891b927fe4232fdaf75b9ecaddc2f24d61533c
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Name	Type	MD5	SHA1	SHA256

AV Detection:

Found malware configuration

Source: PC21-270421.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1IyeIvFG2j6rM8MkH-OGyKJbMY3m1XbJ6"}

Multi AV Scanner detection for submitted file

Source: PC21-270421.exe	Virustotal: Detection: 33%			Perma Link
Source: PC21-270421.exe	ReversingLabs: Detection: 17%

Compliance:

Uses 32bit PE files

Source: PC21-270421.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1IyeIvFG2j6rM8MkH-OGyKJbMY3m1XbJ6

System Summary:

Potential malicious icon found

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Detected potential crypto function

Source: C:\Users\user\Desktop\PC21-270421.exe

Code function: 0_2_004014B8

0_2_004014B8

PE file contains strange resources

Source: PC21-270421.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: PC21-270421.exe, 00000000.00000000.658336766.0000000000424000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameINDFRELSENS.exe vs PC21-270421.exe
Source: PC21-270421.exe, 00000000.00000002.685380233.00000000021E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs PC21-270421.exe
Source: PC21-270421.exe	Binary or memory string: OriginalFilenameINDFRELSENS.exe vs PC21-270421.exe

Uses 32bit PE files

Source: PC21-270421.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Classification label

Source: classification engine

Classification label: mal57.rans.troj.winEXE@1/0@0/0

Creates files inside the user directory

Source: C:\Users\user\Desktop\PC21-270421.exe

File created: C:\Users\user\Desktop\Bortdsledes

Jump to behavior

PE file has an executable .text section and no other executable section

Source: PC21-270421.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)

Source: C:\Users\user\Desktop\PC21-270421.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Reads ini files

Source: C:\Users\user\Desktop\PC21-270421.exe

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\PC21-270421.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Source: PC21-270421.exe	Virustotal: Detection: 33%
Source: PC21-270421.exe	ReversingLabs: Detection: 17%

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\PC21-270421.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Users\user\Desktop\PC21-270421.exe	Automated click: OK
Source: C:\Users\user\Desktop\PC21-270421.exe	Automated click: OK
Source: C:\Users\user\Desktop\PC21-270421.exe	Automated click: OK

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: PC21-270421.exe, type: SAMPLE
Source: Yara match	File source: 0.0.PC21-270421.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PC21-270421.exe.400000.0.unpack, type: UNPACKEDPE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\PC21-270421.exe	Code function: 0_2_00410040 push edx; iretd		0_2_0041004B
Source: C:\Users\user\Desktop\PC21-270421.exe	Code function: 0_2_0040D844 push edx; iretd		0_2_0040D84F
Source: C:\Users\user\Desktop\PC21-270421.exe	Code function: 0_2_0040F844 push edx; iretd		0_2_0040F84F
Source: C:\Users\user\Desktop\PC21-270421.exe	Code function: 0_2_0040B04B push ebx; iretd		0_2_0040B00F
Source: C:\Users\user\Desktop\PC21-270421.exe	Code function: 0_2_0041004C push ebx; iretd		0_2_004100BF
Source: C:\Users\user\Desktop\PC21-270421.exe	Code function: 0_2_0040E050 push edx; iretd		0_2_0040E0EB
Source: C:\Users\user\Desktop\PC21-270421.exe	Code function: 0_2_00415051 push edx; iretd		0_2_0041506B
Source: C:\Users\user\Desktop\PC21-270421.exe	Code function: 0_2_0041105B push edx; iretd		0_2_0041106B
Source: C:\Users\user\Desktop\PC21-270421.exe	Code function: 0_2_0040785C push edx; iretd		0_2_00407863
Source: C:\Users\user\Desktop\PC21-270421.exe	Code function: 0_2_00410861 push edx; iretd		0_2_004108D7
Source: C:\Users\user\Desktop\PC21-270421.exe	Code function: 0_2_0040F862 push edx; iretd		0_2_0040F86F
Source: C:\Users\user\Desktop\PC21-270421.exe	Code function: 0_2_0040C066 push ebx; iretd		0_2_0040C073
Source: C:\Users\user\Desktop\PC21-270421.exe	Code function: 0_2_0040D870 push edx; iretd		0_2_0040D887
Source: C:\Users\user\Desktop\PC21-270421.exe	Code function: 0_2_0040B874 push ebx; iretd		0_2_0040B87F
Source: C:\Users\user\Desktop\PC21-270421.exe	Code function: 0_2_00408078 push ebx; iretd		0_2_00408093
Source: C:\Users\user\Desktop\PC21-270421.exe	Code function: 0_2_0040A008 push edx; iretd		0_2_00409FFF
Source: C:\Users\user\Desktop\PC21-270421.exe	Code function: 0_2_0040B809 push ebx; iretd		0_2_0040B873
Source: C:\Users\user\Desktop\PC21-270421.exe	Code function: 0_2_0040900F push edx; iretd		0_2_00409027
Source: C:\Users\user\Desktop\PC21-270421.exe	Code function: 0_2_0041601A push edx; iretd		0_2_0041603B
Source: C:\Users\user\Desktop\PC21-270421.exe	Code function: 0_2_00406021 push edx; iretd		0_2_00406023
Source: C:\Users\user\Desktop\PC21-270421.exe	Code function: 0_2_0040F025 push edx; iretd		0_2_0040F027
Source: C:\Users\user\Desktop\PC21-270421.exe	Code function: 0_2_00414028 push edi; iretd		0_2_00414029
Source: C:\Users\user\Desktop\PC21-270421.exe	Code function: 0_2_0041402A push edx; iretd		0_2_0041402B
Source: C:\Users\user\Desktop\PC21-270421.exe	Code function: 0_2_00407034 push edx; iretd		0_2_0040703F
Source: C:\Users\user\Desktop\PC21-270421.exe	Code function: 0_2_00410038 push ebx; iretd		0_2_004100BF
Source: C:\Users\user\Desktop\PC21-270421.exe	Code function: 0_2_004078D4 push edx; iretd		0_2_004078DB
Source: C:\Users\user\Desktop\PC21-270421.exe	Code function: 0_2_004068D4 push edx; iretd		0_2_0040692B
Source: C:\Users\user\Desktop\PC21-270421.exe	Code function: 0_2_004090DC push edx; iretd		0_2_004090E3
Source: C:\Users\user\Desktop\PC21-270421.exe	Code function: 0_2_004090E4 push ebx; iretd		0_2_00409147
Source: C:\Users\user\Desktop\PC21-270421.exe	Code function: 0_2_004080E9 push edx; iretd		0_2_004080F7
Source: C:\Users\user\Desktop\PC21-270421.exe	Code function: 0_2_004108ED push edx; iretd		0_2_004108D7

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\PC21-270421.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\PC21-270421.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\PC21-270421.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\PC21-270421.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\PC21-270421.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\PC21-270421.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\PC21-270421.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\PC21-270421.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\PC21-270421.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\PC21-270421.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\PC21-270421.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\PC21-270421.exe

API coverage: 0.6 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\PC21-270421.exe

Queries volume information: unknown VolumeInformation

Jump to behavior