Source: Facturas Pagadas Al Vencimiento.exe |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1dBTGLOe-ZeMuRpNWg8qsJp7BOE8QNF9s5l"} |
Source: Facturas Pagadas Al Vencimiento.exe |
Virustotal: Detection: 71% |
Perma Link |
Source: Facturas Pagadas Al Vencimiento.exe |
Metadefender: Detection: 45% |
Perma Link |
Source: Facturas Pagadas Al Vencimiento.exe |
ReversingLabs: Detection: 69% |
Source: Facturas Pagadas Al Vencimiento.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://drive.google.com/uc?export=download&id=1dBTGLOe-ZeMuRpNWg8qsJp7BOE8QNF9s5l |
Source: initial sample |
Icon embedded in PE file: bad icon match: 20047c7c70f0e004 |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_004014BC |
0_2_004014BC |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 700 |
Source: Facturas Pagadas Al Vencimiento.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000000.209123671.0000000000421000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameGRFTNING.exe vs Facturas Pagadas Al Vencimiento.exe |
Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000000.209337429.00000000020A0000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs Facturas Pagadas Al Vencimiento.exe |
Source: Facturas Pagadas Al Vencimiento.exe |
Binary or memory string: OriginalFilenameGRFTNING.exe vs Facturas Pagadas Al Vencimiento.exe |
Source: Facturas Pagadas Al Vencimiento.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal76.rans.troj.winEXE@3/8@0/1 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5992 |
Source: Facturas Pagadas Al Vencimiento.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: Facturas Pagadas Al Vencimiento.exe |
Virustotal: Detection: 71% |
Source: Facturas Pagadas Al Vencimiento.exe |
Metadefender: Detection: 45% |
Source: Facturas Pagadas Al Vencimiento.exe |
ReversingLabs: Detection: 69% |
Source: unknown |
Process created: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe 'C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe' |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 700 |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 700 |
Source: Yara match |
File source: Facturas Pagadas Al Vencimiento.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.Facturas Pagadas Al Vencimiento.exe.400000.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.Facturas Pagadas Al Vencimiento.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.Facturas Pagadas Al Vencimiento.exe.400000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.Facturas Pagadas Al Vencimiento.exe.400000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.Facturas Pagadas Al Vencimiento.exe.400000.7.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Facturas Pagadas Al Vencimiento.exe.400000.0.unpack, type: UNPACKEDPE |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_00406C48 push edi; iretd |
0_2_00406C4C |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_0040A4F0 push edi; retf |
0_2_0040A4F6 |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_0040B88A push es; ret |
0_2_0040B902 |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_004018A5 push eax; retn 0041h |
0_2_004018AD |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_0040CD40 push FFFFFF87h; ret |
0_2_0040CD42 |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_0040AD1C pushfd ; ret |
0_2_0040AD2E |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_0040DE63 push ds; ret |
0_2_0040DE6D |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_0040C20B push FFFFFFF9h; ret |
0_2_0040C2DE |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_0040C20D push FFFFFFF9h; ret |
0_2_0040C2DE |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_0040CAC2 pushad ; ret |
0_2_0040CAD2 |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_00405EC5 push es; ret |
0_2_00405EC8 |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_0040D6DA push cs; ret |
0_2_0040D6F1 |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_0040BA91 push ss; ret |
0_2_0040BA92 |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_0040829F push 00000055h; ret |
0_2_004082BD |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_00409768 push ebp; ret |
0_2_0040976D |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_00409F3A push 00000048h; ret |
0_2_00409F92 |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_00409FCB push 00000048h; ret |
0_2_00409F92 |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Code function: 0_2_004077DD push ebp; ret |
0_2_0040780E |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Facturas Pagadas Al Vencimiento.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000000.209299905.0000000000C70000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000000.209299905.0000000000C70000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000000.209299905.0000000000C70000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: Facturas Pagadas Al Vencimiento.exe, 00000000.00000000.209299905.0000000000C70000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |