Loading ...

Play interactive tourEdit tour

Analysis Report 2FQhmYZME4.exe

Overview

General Information

Sample Name:2FQhmYZME4.exe
Analysis ID:431752
MD5:196b3c910b8d74c5916029f6eb037d5d
SHA1:37968cade61e54ce0c4ec24e83c35fadd583019f
SHA256:4f6b4079a3f1b56421cbca34d112ba6a867ff8a6bd706010bfe931ac6d635361
Tags:exeGuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 2FQhmYZME4.exe (PID: 6960 cmdline: 'C:\Users\user\Desktop\2FQhmYZME4.exe' MD5: 196B3C910B8D74C5916029F6EB037D5D)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://myurl/myfile.bin"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
2FQhmYZME4.exeJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000000.645109161.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
      00000001.00000002.1167637296.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.0.2FQhmYZME4.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
          1.2.2FQhmYZME4.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000001.00000002.1168698485.0000000002C00000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "http://myurl/myfile.bin"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: 2FQhmYZME4.exeVirustotal: Detection: 26%Perma Link
            Source: 2FQhmYZME4.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: http://myurl/myfile.bin
            Source: 2FQhmYZME4.exe, 00000001.00000002.1167821842.00000000006AA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            System Summary:

            barindex
            Potential malicious icon foundShow sources
            Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeProcess Stats: CPU usage > 98%
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C06AA2 NtAllocateVirtualMemory,1_2_02C06AA2
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C06AA7 NtAllocateVirtualMemory,1_2_02C06AA7
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C06BB7 NtAllocateVirtualMemory,1_2_02C06BB7
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C06B1B NtAllocateVirtualMemory,1_2_02C06B1B
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C06CCD NtAllocateVirtualMemory,1_2_02C06CCD
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C06AA2 NtAllocateVirtualMemory,1_2_02C06AA2
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C06C71 NtAllocateVirtualMemory,1_2_02C06C71
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_0040560F1_2_0040560F
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_00401C101_2_00401C10
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C06AA21_2_02C06AA2
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C05AD51_2_02C05AD5
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C056DD1_2_02C056DD
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C012F11_2_02C012F1
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A6F11_2_02C0A6F1
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C032F51_2_02C032F5
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C00EF71_2_02C00EF7
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C046A11_2_02C046A1
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A6A51_2_02C0A6A5
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C06AA71_2_02C06AA7
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C016A91_2_02C016A9
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A6AA1_2_02C0A6AA
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C072AF1_2_02C072AF
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C066B01_2_02C066B0
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C09EB31_2_02C09EB3
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C052B71_2_02C052B7
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C066BB1_2_02C066BB
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C046451_2_02C04645
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0AA451_2_02C0AA45
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C01E4B1_2_02C01E4B
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C05A4E1_2_02C05A4E
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0565F1_2_02C0565F
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C03A6A1_2_02C03A6A
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C01E6D1_2_02C01E6D
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0AA7E1_2_02C0AA7E
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0521E1_2_02C0521E
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0162D1_2_02C0162D
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C072311_2_02C07231
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A63C1_2_02C0A63C
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C037D51_2_02C037D5
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C037D71_2_02C037D7
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C05BE01_2_02C05BE0
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C013E91_2_02C013E9
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C03BEF1_2_02C03BEF
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A6A51_2_02C0A6A5
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C05B851_2_02C05B85
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A7961_2_02C0A796
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C053B91_2_02C053B9
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A7BA1_2_02C0A7BA
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A7521_2_02C0A752
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C057631_2_02C05763
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C03B661_2_02C03B66
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0136A1_2_02C0136A
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C06F781_2_02C06F78
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C053001_2_02C05300
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0AB0D1_2_02C0AB0D
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C03B0E1_2_02C03B0E
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C017291_2_02C01729
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0333E1_2_02C0333E
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C008C81_2_02C008C8
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C038C91_2_02C038C9
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A8D91_2_02C0A8D9
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C058E41_2_02C058E4
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C070E61_2_02C070E6
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C044EA1_2_02C044EA
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C058F61_2_02C058F6
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C06AA21_2_02C06AA2
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C070851_2_02C07085
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0108B1_2_02C0108B
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C050991_2_02C05099
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C054B01_2_02C054B0
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C014B51_2_02C014B5
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A8421_2_02C0A842
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C014461_2_02C01446
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C038461_2_02C03846
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C084531_2_02C08453
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C05C6C1_2_02C05C6C
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C070771_2_02C07077
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0587D1_2_02C0587D
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C010011_2_02C01001
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C058121_2_02C05812
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0543B1_2_02C0543B
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C055C51_2_02C055C5
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C00DCB1_2_02C00DCB
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C071CE1_2_02C071CE
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C039D31_2_02C039D3
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C071D51_2_02C071D5
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0B5E71_2_02C0B5E7
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C011ED1_2_02C011ED
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C00DFF1_2_02C00DFF
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C051851_2_02C05185
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C071941_2_02C07194
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C045A31_2_02C045A3
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C015AF1_2_02C015AF
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A9B71_2_02C0A9B7
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C059BD1_2_02C059BD
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A9421_2_02C0A942
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C055551_2_02C05555
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0B55A1_2_02C0B55A
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0395D1_2_02C0395D
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C015621_2_02C01562
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0B56A1_2_02C0B56A
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C011791_2_02C01179
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C05D061_2_02C05D06
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A90B1_2_02C0A90B
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C045151_2_02C04515
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0111D1_2_02C0111D
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0AD1E1_2_02C0AD1E
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C059231_2_02C05923
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C051251_2_02C05125
            Source: 2FQhmYZME4.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 2FQhmYZME4.exe, 00000001.00000002.1168321386.00000000023C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs 2FQhmYZME4.exe
            Source: 2FQhmYZME4.exe, 00000001.00000002.1167671564.0000000000424000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameChanneled1.exe vs 2FQhmYZME4.exe
            Source: 2FQhmYZME4.exeBinary or memory string: OriginalFilenameChanneled1.exe vs 2FQhmYZME4.exe
            Source: 2FQhmYZME4.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: classification engineClassification label: mal92.rans.troj.evad.winEXE@1/0@0/0
            Source: 2FQhmYZME4.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 2FQhmYZME4.exeVirustotal: Detection: 26%

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 2FQhmYZME4.exe, type: SAMPLE
            Source: Yara matchFile source: 00000001.00000000.645109161.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1167637296.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 1.0.2FQhmYZME4.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.2FQhmYZME4.exe.400000.0.unpack, type: UNPACKEDPE
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_00409E58 push eax; retf 1_2_00409E61
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_00406826 push ebx; ret 1_2_00406830
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_004094F4 pushfd ; ret 1_2_004094F5
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_00408355 push edx; ret 1_2_0040835C
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_00408B1F push edx; ret 1_2_00408B58
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_00406580 push ebx; retf 1_2_00406590
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_004031A9 push dword ptr [ebp-44h]; ret 1_2_0041EC24
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C032F5 1_2_02C032F5
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A6A5 1_2_02C0A6A5
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C052B7 1_2_02C052B7
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C03A6A 1_2_02C03A6A
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0521E 1_2_02C0521E
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C037D5 1_2_02C037D5
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C037D7 1_2_02C037D7
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A6A5 1_2_02C0A6A5
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C05300 1_2_02C05300
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C038C9 1_2_02C038C9
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C05099 1_2_02C05099
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C03846 1_2_02C03846
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C08453 1_2_02C08453
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C00DCB 1_2_02C00DCB
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C039D3 1_2_02C039D3
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C05185 1_2_02C05185
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0AD9B 1_2_02C0AD9B
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0395D 1_2_02C0395D
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0AD1E 1_2_02C0AD1E
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C05125 1_2_02C05125
            Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeRDTSC instruction interceptor: First address: 0000000002C09FB8 second address: 0000000002C09FB8 instructions:
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeRDTSC instruction interceptor: First address: 0000000002C098FF second address: 0000000002C098FF instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov byte ptr [edx+ecx], al 0x0000000e inc ecx 0x0000000f jne 00007F366037329Dh 0x00000011 mov al, byte ptr [edx+ecx] 0x00000014 add ebx, esi 0x00000016 xor al, byte ptr [ebx] 0x00000018 sub ebx, esi 0x0000001a inc ebx 0x0000001b jne 00007F36603732C6h 0x0000001d pushad 0x0000001e lfence 0x00000021 rdtsc
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeRDTSC instruction interceptor: First address: 0000000002C09FB8 second address: 0000000002C09FB8 instructions:
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeRDTSC instruction interceptor: First address: 0000000002C09CD6 second address: 0000000002C09CD6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 35C87548h 0x00000007 xor eax, 95C7301Ch 0x0000000c add eax, 0F544615h 0x00000011 add eax, 509C7498h 0x00000016 cpuid 0x00000018 jmp 00007F36603732FAh 0x0000001a cmp cl, cl 0x0000001c popad 0x0000001d call 00007F36603732C8h 0x00000022 lfence 0x00000025 mov edx, D838CC93h 0x0000002a add edx, 4B48768Eh 0x00000030 add edx, CBB48C4Bh 0x00000036 xor edx, 90CBCF78h 0x0000003c mov edx, dword ptr [edx] 0x0000003e lfence 0x00000041 jmp 00007F36603732FAh 0x00000043 cmp edx, C46AF604h 0x00000049 ret 0x0000004a sub edx, esi 0x0000004c ret 0x0000004d cmp bx, bx 0x00000050 add edi, edx 0x00000052 dec dword ptr [ebp+000000F8h] 0x00000058 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000005f jne 00007F36603732A9h 0x00000061 call 00007F3660373322h 0x00000066 call 00007F3660373325h 0x0000006b lfence 0x0000006e mov edx, D838CC93h 0x00000073 add edx, 4B48768Eh 0x00000079 add edx, CBB48C4Bh 0x0000007f xor edx, 90CBCF78h 0x00000085 mov edx, dword ptr [edx] 0x00000087 lfence 0x0000008a jmp 00007F36603732FAh 0x0000008c cmp edx, C46AF604h 0x00000092 ret 0x00000093 mov esi, edx 0x00000095 pushad 0x00000096 rdtsc
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0B6C1 rdtsc 1_2_02C0B6C1
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

            Anti Debugging:

            barindex
            Found potential dummy code loops (likely to delay analysis)Show sources
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeProcess Stats: CPU usage > 90% for more than 60s
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0B6C1 rdtsc 1_2_02C0B6C1
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A6F1 mov eax, dword ptr fs:[00000030h]1_2_02C0A6F1
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A6A5 mov eax, dword ptr fs:[00000030h]1_2_02C0A6A5
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A6AA mov eax, dword ptr fs:[00000030h]1_2_02C0A6AA
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A63C mov eax, dword ptr fs:[00000030h]1_2_02C0A63C
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C08FC3 mov eax, dword ptr fs:[00000030h]1_2_02C08FC3
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C037D5 mov eax, dword ptr fs:[00000030h]1_2_02C037D5
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A6A5 mov eax, dword ptr fs:[00000030h]1_2_02C0A6A5
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A796 mov eax, dword ptr fs:[00000030h]1_2_02C0A796
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C0A752 mov eax, dword ptr fs:[00000030h]1_2_02C0A752
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C044EA mov eax, dword ptr fs:[00000030h]1_2_02C044EA
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C09956 mov eax, dword ptr fs:[00000030h]1_2_02C09956
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C06570 mov eax, dword ptr fs:[00000030h]1_2_02C06570
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C04515 mov eax, dword ptr fs:[00000030h]1_2_02C04515
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: 2FQhmYZME4.exe, 00000001.00000002.1167862225.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: 2FQhmYZME4.exe, 00000001.00000002.1167862225.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: 2FQhmYZME4.exe, 00000001.00000002.1167862225.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: 2FQhmYZME4.exe, 00000001.00000002.1167862225.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\2FQhmYZME4.exeCode function: 1_2_02C09968 cpuid 1_2_02C09968

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11Input Capture1Security Software Discovery41Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery311Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.