Loading ...

Play interactive tourEdit tour

Analysis Report Odeme_310521657_876007850.exe

Overview

General Information

Sample Name:Odeme_310521657_876007850.exe
Analysis ID:431163
MD5:391ca3cf343a25bfd2b452478e54591b
SHA1:07392a3e453fbf57a85190e0342e15c83e4eaffb
SHA256:6abdca229afbc8050590a71d0a4be6dcaeaa44725e19d4eab23df6152465116d
Tags:exeGuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Odeme_310521657_876007850.exeJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: Odeme_310521657_876007850.exeReversingLabs: Detection: 31%
    Source: Odeme_310521657_876007850.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: Odeme_310521657_876007850.exe, 00000000.00000002.1165436070.000000000066A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

    System Summary:

    barindex
    Potential malicious icon foundShow sources
    Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226A488 NtAllocateVirtualMemory,0_2_0226A488
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226A692 NtAllocateVirtualMemory,0_2_0226A692
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226A736 NtAllocateVirtualMemory,0_2_0226A736
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226A7D5 NtAllocateVirtualMemory,0_2_0226A7D5
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226A86E NtAllocateVirtualMemory,0_2_0226A86E
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226A56A NtAllocateVirtualMemory,0_2_0226A56A
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226A5F6 NtAllocateVirtualMemory,0_2_0226A5F6
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226A4880_2_0226A488
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022682280_2_02268228
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02262A060_2_02262A06
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022612040_2_02261204
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022706050_2_02270605
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226B2000_2_0226B200
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02261A080_2_02261A08
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02260E150_2_02260E15
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02268A120_2_02268A12
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226864A0_2_0226864A
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02261AA60_2_02261AA6
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022612A00_2_022612A0
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02268EBC0_2_02268EBC
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022622850_2_02262285
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226828A0_2_0226828A
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02267E940_2_02267E94
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02262A980_2_02262A98
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02265AEC0_2_02265AEC
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022686C40_2_022686C4
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02266ACD0_2_02266ACD
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02261ED20_2_02261ED2
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226AED10_2_0226AED1
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022656DC0_2_022656DC
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226B2DA0_2_0226B2DA
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022657240_2_02265724
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02264F250_2_02264F25
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02266B220_2_02266B22
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02261B200_2_02261B20
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226830C0_2_0226830C
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226230A0_2_0226230A
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226B3780_2_0226B378
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02262F540_2_02262F54
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226AF520_2_0226AF52
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022683A00_2_022683A0
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02268B800_2_02268B80
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02261F800_2_02261F80
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022657880_2_02265788
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02261B940_2_02261B94
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02262F9B0_2_02262F9B
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02264F980_2_02264F98
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022627990_2_02262799
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022673E40_2_022673E4
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02261BEE0_2_02261BEE
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02262BEE0_2_02262BEE
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022627FA0_2_022627FA
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02262FC60_2_02262FC6
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02267FC00_2_02267FC0
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02264BCD0_2_02264BCD
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022617CB0_2_022617CB
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02268FD80_2_02268FD8
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022608230_2_02260823
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226082E0_2_0226082E
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226882E0_2_0226882E
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226502C0_2_0226502C
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226843C0_2_0226843C
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02266C3A0_2_02266C3A
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226200C0_2_0226200C
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02268C0C0_2_02268C0C
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226B4180_2_0226B418
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022618500_2_02261850
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02267C5A0_2_02267C5A
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022680580_2_02268058
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022610A30_2_022610A3
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022638BD0_2_022638BD
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022608840_2_02260884
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02261C880_2_02261C88
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022620900_2_02262090
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022698E60_2_022698E6
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022684E60_2_022684E6
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022618EE0_2_022618EE
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022688E80_2_022688E8
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022610F40_2_022610F4
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226ECC20_2_0226ECC2
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02267CD40_2_02267CD4
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226592E0_2_0226592E
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226293C0_2_0226293C
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022621140_2_02262114
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022681190_2_02268119
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022681640_2_02268164
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02267D6C0_2_02267D6C
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226B16C0_2_0226B16C
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226A56A0_2_0226A56A
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226116B0_2_0226116B
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022619740_2_02261974
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022631740_2_02263174
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02266D500_2_02266D50
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022621A40_2_022621A4
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022639AD0_2_022639AD
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022659AB0_2_022659AB
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02261DB20_2_02261DB2
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022629B80_2_022629B8
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226A5F60_2_0226A5F6
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022659F50_2_022659F5
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022651FC0_2_022651FC
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02268DC90_2_02268DC9
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02266DD80_2_02266DD8
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022639D80_2_022639D8
    Source: Odeme_310521657_876007850.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: Odeme_310521657_876007850.exe, 00000000.00000002.1165584382.00000000021F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Odeme_310521657_876007850.exe
    Source: Odeme_310521657_876007850.exe, 00000000.00000000.639617040.0000000000424000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameForconceit7.exe vs Odeme_310521657_876007850.exe
    Source: Odeme_310521657_876007850.exeBinary or memory string: OriginalFilenameForconceit7.exe vs Odeme_310521657_876007850.exe
    Source: Odeme_310521657_876007850.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: classification engineClassification label: mal80.rans.troj.evad.winEXE@1/0@0/0
    Source: Odeme_310521657_876007850.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: Odeme_310521657_876007850.exeReversingLabs: Detection: 31%

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: Odeme_310521657_876007850.exe, type: SAMPLE
    Source: Yara matchFile source: 0.0.Odeme_310521657_876007850.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Odeme_310521657_876007850.exe.400000.0.unpack, type: UNPACKEDPE
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0040CF5C push ebp; iretd 0_2_0040CF5D
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02269120 push 39C8A12Dh; retf 0_2_0226912C
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226AA23 0_2_0226AA23
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02268228 0_2_02268228
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02261A08 0_2_02261A08
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226864A 0_2_0226864A
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02261AA6 0_2_02261AA6
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02262285 0_2_02262285
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226828A 0_2_0226828A
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02267E94 0_2_02267E94
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022686C4 0_2_022686C4
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02266ACD 0_2_02266ACD
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02261ED2 0_2_02261ED2
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226AED1 0_2_0226AED1
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022656DC 0_2_022656DC
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02261B20 0_2_02261B20
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02264700 0_2_02264700
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226830C 0_2_0226830C
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226230A 0_2_0226230A
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226470A 0_2_0226470A
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226475C 0_2_0226475C
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022683A0 0_2_022683A0
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02261F80 0_2_02261F80
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02261B94 0_2_02261B94
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022673E4 0_2_022673E4
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02261BEE 0_2_02261BEE
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022647F0 0_2_022647F0
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02267FC0 0_2_02267FC0
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022617CB 0_2_022617CB
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02267420 0_2_02267420
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226843C 0_2_0226843C
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226200C 0_2_0226200C
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02266453 0_2_02266453
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02261850 0_2_02261850
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02266451 0_2_02266451
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02268058 0_2_02268058
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02261C88 0_2_02261C88
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02262090 0_2_02262090
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02264890 0_2_02264890
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022698E6 0_2_022698E6
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022684E6 0_2_022684E6
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022618EE 0_2_022618EE
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02267CD4 0_2_02267CD4
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022674D8 0_2_022674D8
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02264924 0_2_02264924
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02262114 0_2_02262114
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02268119 0_2_02268119
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02268164 0_2_02268164
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02267D6C 0_2_02267D6C
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02261974 0_2_02261974
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022621A4 0_2_022621A4
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022639AD 0_2_022639AD
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02261DB2 0_2_02261DB2
    Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeRDTSC instruction interceptor: First address: 000000000226A8D3 second address: 000000000226A8D3 instructions:
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeRDTSC instruction interceptor: First address: 000000000226A973 second address: 000000000226A973 instructions:
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeRDTSC instruction interceptor: First address: 000000000226AA14 second address: 000000000226AA6A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a jmp 00007FA1809A4D2Ch 0x0000000f call 00007FA1809A4A99h 0x00000014 mov dword ptr [ebp+000001DDh], ecx 0x0000001a test ax, 00006196h 0x0000001e mov ecx, 744B4324h 0x00000023 cmp ebx, edx 0x00000025 xor ecx, 3F893887h 0x0000002b xor ecx, 86A7B7DBh 0x00000031 test bl, bl 0x00000033 sub ecx, CD65CC3Ch 0x00000039 pushad 0x0000003a mov cx, 6E0Fh 0x0000003e cmp cx, 6E0Fh 0x00000043 jne 00007FA1809A870Fh 0x00000049 popad 0x0000004a push ecx 0x0000004b mov ecx, dword ptr [ebp+000001DDh] 0x00000051 cmp dx, bx 0x00000054 push dword ptr [ebp+00000140h] 0x0000005a pushad 0x0000005b rdtsc
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeRDTSC instruction interceptor: First address: 000000000226AA6A second address: 000000000226AA6A instructions:
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeRDTSC instruction interceptor: First address: 000000000226F981 second address: 000000000226F981 instructions:
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeRDTSC instruction interceptor: First address: 0000000002272352 second address: 0000000002272352 instructions:
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeRDTSC instruction interceptor: First address: 000000000226E6B7 second address: 000000000226E7D9 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push E16449FBh 0x00000010 jmp 00007FA1809BA75Eh 0x00000012 cmp cl, bl 0x00000014 call 00007FA1809BA744h 0x00000019 cmp ah, ch 0x0000001b mov dword ptr [ebp+04h], eax 0x0000001e mov ebx, dword ptr [eax+3Ch] 0x00000021 add eax, ebx 0x00000023 mov ebx, dword ptr [eax+78h] 0x00000026 mov eax, dword ptr [ebp+04h] 0x00000029 jmp 00007FA1809BA75Eh 0x0000002b test dl, dl 0x0000002d add eax, ebx 0x0000002f mov ecx, dword ptr [eax+18h] 0x00000032 test bh, ah 0x00000034 mov dword ptr [ebp+08h], ecx 0x00000037 cmp cl, bl 0x00000039 mov ecx, dword ptr [eax+1Ch] 0x0000003c mov dword ptr [ebp+14h], ecx 0x0000003f cmp cl, cl 0x00000041 mov ecx, dword ptr [eax+24h] 0x00000044 mov dword ptr [ebp+10h], ecx 0x00000047 test dl, dl 0x00000049 mov esi, dword ptr [eax+20h] 0x0000004c add esi, dword ptr [ebp+04h] 0x0000004f xor ecx, ecx 0x00000051 test bh, FFFFFFA3h 0x00000054 cmp ax, bx 0x00000057 pushad 0x00000058 lfence 0x0000005b rdtsc
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeRDTSC instruction interceptor: First address: 000000000226A8D3 second address: 000000000226A8D3 instructions:
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeRDTSC instruction interceptor: First address: 000000000226A973 second address: 000000000226A973 instructions:
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeRDTSC instruction interceptor: First address: 000000000226AA14 second address: 000000000226AA6A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a jmp 00007FA1809A4D2Ch 0x0000000f call 00007FA1809A4A99h 0x00000014 mov dword ptr [ebp+000001DDh], ecx 0x0000001a test ax, 00006196h 0x0000001e mov ecx, 744B4324h 0x00000023 cmp ebx, edx 0x00000025 xor ecx, 3F893887h 0x0000002b xor ecx, 86A7B7DBh 0x00000031 test bl, bl 0x00000033 sub ecx, CD65CC3Ch 0x00000039 pushad 0x0000003a mov cx, 6E0Fh 0x0000003e cmp cx, 6E0Fh 0x00000043 jne 00007FA1809A870Fh 0x00000049 popad 0x0000004a push ecx 0x0000004b mov ecx, dword ptr [ebp+000001DDh] 0x00000051 cmp dx, bx 0x00000054 push dword ptr [ebp+00000140h] 0x0000005a pushad 0x0000005b rdtsc
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeRDTSC instruction interceptor: First address: 000000000226AA6A second address: 000000000226AA6A instructions:
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeRDTSC instruction interceptor: First address: 000000000226F981 second address: 000000000226F981 instructions:
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeRDTSC instruction interceptor: First address: 0000000002272352 second address: 0000000002272352 instructions:
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeRDTSC instruction interceptor: First address: 000000000226F43E second address: 000000000226F4DF instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov dword ptr [ebp+000000F8h], 00A95F60h 0x00000015 test ecx, ecx 0x00000017 cmp al, al 0x00000019 cmp bl, cl 0x0000001b call 00007FA1809A4C5Eh 0x00000020 call 00007FA1809A4C6Ah 0x00000025 lfence 0x00000028 mov edx, 70E07C5Ch 0x0000002d xor edx, A2B34B25h 0x00000033 xor edx, 89B1DF2Eh 0x00000039 xor edx, 241CE843h 0x0000003f mov edx, dword ptr [edx] 0x00000041 lfence 0x00000044 jmp 00007FA1809A4C2Eh 0x00000046 test dx, cx 0x00000049 cmp ebx, edx 0x0000004b cmp bl, FFFFFF8Ch 0x0000004e jmp 00007FA1809A4C2Eh 0x00000050 test bl, bl 0x00000052 test ax, cx 0x00000055 nop 0x00000056 pushad 0x00000057 mov dx, B385h 0x0000005b cmp dx, B385h 0x00000060 jne 00007FA1809A3B2Dh 0x00000066 popad 0x00000067 ret 0x00000068 mov esi, edx 0x0000006a pushad 0x0000006b rdtsc
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226AA23 rdtsc 0_2_0226AA23
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeProcess Stats: CPU usage > 90% for more than 60s
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226AA23 rdtsc 0_2_0226AA23
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02270605 mov eax, dword ptr fs:[00000030h]0_2_02270605
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02266ACD mov eax, dword ptr fs:[00000030h]0_2_02266ACD
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_022656DC mov eax, dword ptr fs:[00000030h]0_2_022656DC
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02266B22 mov eax, dword ptr fs:[00000030h]0_2_02266B22
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226EF31 mov eax, dword ptr fs:[00000030h]0_2_0226EF31
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02266453 mov eax, dword ptr fs:[00000030h]0_2_02266453
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02266451 mov eax, dword ptr fs:[00000030h]0_2_02266451
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_0226E55E mov eax, dword ptr fs:[00000030h]0_2_0226E55E
    Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exeCode function: 0_2_02269D90 mov eax, dword ptr fs:[00000030h]0_2_02269D90
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: Odeme_310521657_876007850.exe, 00000000.00000002.1165487714.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Program Manager
    Source: Odeme_310521657_876007850.exe, 00000000.00000002.1165487714.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: Odeme_310521657_876007850.exe, 00000000.00000002.1165487714.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: Odeme_310521657_876007850.exe, 00000000.00000002.1165487714.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11Input Capture1Security Software Discovery41Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery31Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.