Loading ...

Play interactive tourEdit tour

Analysis Report New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe

Overview

General Information

Sample Name:New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe
Analysis ID:432028
MD5:e766a80e73cd62b0aadf800f0e8bfe2c
SHA1:25de6008b7f77121d432811376b4703e727e902f
SHA256:664bf09b6f40a8f36643766189b1ec1cbf9578ff7d207b9f23803ac7676a119e
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
Found large amount of non-executed APIs
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://tebogodigital.co.za/frim/build_mmHXva107.bin, https://tebogodigital.co.za/frib/build_mmHXva107.bin"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.730196240.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
      00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        00000000.00000000.204310575.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
            0.2.New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeMalware Configuration Extractor: GuLoader {"Payload URL": "https://tebogodigital.co.za/frim/build_mmHXva107.bin, https://tebogodigital.co.za/frib/build_mmHXva107.bin"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeVirustotal: Detection: 71%Perma Link
              Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeMetadefender: Detection: 28%Perma Link
              Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeReversingLabs: Detection: 72%
              Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

              Networking:

              barindex
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: https://tebogodigital.co.za/frim/build_mmHXva107.bin, https://tebogodigital.co.za/frib/build_mmHXva107.bin

              System Summary:

              barindex
              Potential malicious icon foundShow sources
              Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeProcess Stats: CPU usage > 98%
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD88D0 NtProtectVirtualMemory,0_2_02BD88D0
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD7037 NtAllocateVirtualMemory,0_2_02BD7037
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD7280 NtAllocateVirtualMemory,0_2_02BD7280
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD722F NtAllocateVirtualMemory,0_2_02BD722F
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD7094 NtAllocateVirtualMemory,0_2_02BD7094
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD70C8 NtAllocateVirtualMemory,0_2_02BD70C8
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD7001 NtAllocateVirtualMemory,0_2_02BD7001
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD71BE NtAllocateVirtualMemory,0_2_02BD71BE
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD890F NtProtectVirtualMemory,0_2_02BD890F
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD717E NtAllocateVirtualMemory,0_2_02BD717E
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD7159 NtAllocateVirtualMemory,0_2_02BD7159
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_004016640_2_00401664
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_00403EC90_2_00403EC9
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD7EA40_2_02BD7EA4
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD7EF90_2_02BD7EF9
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD32E80_2_02BD32E8
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD32700_2_02BD3270
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD2A5F0_2_02BD2A5F
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD7E480_2_02BD7E48
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD33AC0_2_02BD33AC
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD7FEC0_2_02BD7FEC
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD7FE50_2_02BD7FE5
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD7BC30_2_02BD7BC3
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD7F380_2_02BD7F38
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD7B330_2_02BD7B33
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD7B770_2_02BD7B77
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD7F6F0_2_02BD7F6F
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD33640_2_02BD3364
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD80880_2_02BD8088
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD7CE80_2_02BD7CE8
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD58250_2_02BD5825
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD341E0_2_02BD341E
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD7C040_2_02BD7C04
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD7C480_2_02BD7C48
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD80420_2_02BD8042
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD7DBA0_2_02BD7DBA
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD31B40_2_02BD31B4
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD319D0_2_02BD319D
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD81980_2_02BD8198
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD31FD0_2_02BD31FD
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD7DFD0_2_02BD7DFD
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD21340_2_02BD2134
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD7D360_2_02BD7D36
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD810C0_2_02BD810C
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD81540_2_02BD8154
              Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe, 00000000.00000000.204331251.0000000000419000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMuslingernes.exe vs New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe
              Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe, 00000000.00000002.730698816.00000000021D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe
              Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeBinary or memory string: OriginalFilenameMuslingernes.exe vs New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe
              Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              Source: classification engineClassification label: mal96.rans.troj.evad.winEXE@1/0@0/0
              Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeVirustotal: Detection: 71%
              Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeMetadefender: Detection: 28%
              Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeReversingLabs: Detection: 72%

              Data Obfuscation:

              barindex
              Yara detected GuLoaderShow sources
              Source: Yara matchFile source: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, type: MEMORY
              Yara detected GuLoaderShow sources
              Source: Yara matchFile source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe, type: SAMPLE
              Source: Yara matchFile source: 00000000.00000002.730196240.0000000000401000.00000020.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.204310575.0000000000401000.00000020.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0.0.New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe.400000.0.unpack, type: UNPACKEDPE
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_004068DF push ecx; ret 0_2_004068E1
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_00402D66 push dword ptr [ebp-44h]; ret 0_2_00413024
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_00408972 push esi; iretd 0_2_00408976
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD837B push eax; ret 0_2_02BD83B2
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD3F7A push ss; retf 0_2_02BD3F84
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD3F53 push ss; retf 0_2_02BD3F5D
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeRDTSC instruction interceptor: First address: 0000000002BD849A second address: 0000000002BD849A instructions:
              Tries to detect virtualization through RDTSC time measurementsShow sources
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeRDTSC instruction interceptor: First address: 0000000002BD849A second address: 0000000002BD849A instructions:
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeRDTSC instruction interceptor: First address: 0000000002BD1B35 second address: 0000000002BD1B35 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 0008B41Ah 0x00000007 sub eax, FFF0F724h 0x0000000c add eax, FFF6636Fh 0x00000011 sub eax, 000E2064h 0x00000016 cpuid 0x00000018 jmp 00007FF648847D52h 0x0000001a test eax, edx 0x0000001c popad 0x0000001d call 00007FF648847D1Bh 0x00000022 lfence 0x00000025 mov edx, 7FFD13E2h 0x0000002a sub edx, 000005CFh 0x00000030 sub edx, FFFF6315h 0x00000036 sub edx, FFFFAAEAh 0x0000003c mov edx, dword ptr [edx] 0x0000003e lfence 0x00000041 ret 0x00000042 sub edx, esi 0x00000044 ret 0x00000045 pop ecx 0x00000046 add edi, edx 0x00000048 dec ecx 0x00000049 jmp 00007FF648847D46h 0x0000004b test cl, FFFFFF80h 0x0000004e cmp ecx, 00000000h 0x00000051 jne 00007FF648847CCAh 0x00000053 push ecx 0x00000054 call 00007FF648847D64h 0x00000059 call 00007FF648847D80h 0x0000005e lfence 0x00000061 mov edx, 7FFD13E2h 0x00000066 sub edx, 000005CFh 0x0000006c sub edx, FFFF6315h 0x00000072 sub edx, FFFFAAEAh 0x00000078 mov edx, dword ptr [edx] 0x0000007a lfence 0x0000007d ret 0x0000007e mov esi, edx 0x00000080 pushad 0x00000081 rdtsc
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD32E8 rdtsc 0_2_02BD32E8
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeAPI coverage: 6.5 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

              Anti Debugging:

              barindex
              Found potential dummy code loops (likely to delay analysis)Show sources
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeProcess Stats: CPU usage > 90% for more than 60s
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD32E8 rdtsc 0_2_02BD32E8
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD6AAF mov eax, dword ptr fs:[00000030h]0_2_02BD6AAF
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD3EF4 mov eax, dword ptr fs:[00000030h]0_2_02BD3EF4
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD2A65 mov eax, dword ptr fs:[00000030h]0_2_02BD2A65
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD2A5F mov eax, dword ptr fs:[00000030h]0_2_02BD2A5F
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD7BC3 mov eax, dword ptr fs:[00000030h]0_2_02BD7BC3
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD7B33 mov eax, dword ptr fs:[00000030h]0_2_02BD7B33
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD2B00 mov eax, dword ptr fs:[00000030h]0_2_02BD2B00
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD7B77 mov eax, dword ptr fs:[00000030h]0_2_02BD7B77
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD7C04 mov eax, dword ptr fs:[00000030h]0_2_02BD7C04
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD7C48 mov eax, dword ptr fs:[00000030h]0_2_02BD7C48
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD2134 mov eax, dword ptr fs:[00000030h]0_2_02BD2134
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD611B mov eax, dword ptr fs:[00000030h]0_2_02BD611B
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe, 00000000.00000002.730562695.0000000000DC0000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe, 00000000.00000002.730562695.0000000000DC0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe, 00000000.00000002.730562695.0000000000DC0000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe, 00000000.00000002.730562695.0000000000DC0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCode function: 0_2_02BD58FF cpuid 0_2_02BD58FF

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery31Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery211Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.