Analysis Report Order-078CNLTD.exe

Overview

General Information

Sample Name: Order-078CNLTD.exe
Analysis ID: 433965
MD5: db7cc0b29cf38b5ed2a176c0043b2a58
SHA1: 8e5c1a3ca8e4b5cd7c43cd7f0acbc40a09cefbef
SHA256: aa70c51a1df950f7b8406f4599a7e3bb89bc61fec570fc0e3a53826d42cbf13c
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Initial sample is a PE file and has a suspicious name
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://andreameixueiro.com/TODAY_tRiyv97.bin"}
Multi AV Scanner detection for submitted file
Source: Order-078CNLTD.exe Virustotal: Detection: 70% Perma Link
Source: Order-078CNLTD.exe Metadefender: Detection: 25% Perma Link
Source: Order-078CNLTD.exe ReversingLabs: Detection: 86%

Compliance:

barindex
Uses 32bit PE files
Source: Order-078CNLTD.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://andreameixueiro.com/TODAY_tRiyv97.bin

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Order-078CNLTD.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02103179 NtAllocateVirtualMemory, 0_2_02103179
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02105DA2 NtProtectVirtualMemory, 0_2_02105DA2
Detected potential crypto function
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02106A9E 0_2_02106A9E
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_021018ED 0_2_021018ED
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02105633 0_2_02105633
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02102637 0_2_02102637
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_0210263B 0_2_0210263B
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_0210263F 0_2_0210263F
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02102653 0_2_02102653
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02102657 0_2_02102657
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_0210265B 0_2_0210265B
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_0210265F 0_2_0210265F
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02102643 0_2_02102643
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02102647 0_2_02102647
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_0210264B 0_2_0210264B
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02106E4E 0_2_02106E4E
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_0210264F 0_2_0210264F
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02102673 0_2_02102673
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02102663 0_2_02102663
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02102667 0_2_02102667
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_0210266E 0_2_0210266E
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_021026AE 0_2_021026AE
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_021056D9 0_2_021056D9
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_021056DB 0_2_021056DB
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_021056DF 0_2_021056DF
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_021056F3 0_2_021056F3
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_021056F7 0_2_021056F7
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_021056FB 0_2_021056FB
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_021056FF 0_2_021056FF
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_021056E3 0_2_021056E3
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_021056E7 0_2_021056E7
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_021056EB 0_2_021056EB
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_021056EF 0_2_021056EF
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02105713 0_2_02105713
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02105703 0_2_02105703
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02105707 0_2_02105707
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_0210570E 0_2_0210570E
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_0210574E 0_2_0210574E
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02104C4F 0_2_02104C4F
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02104CC0 0_2_02104CC0
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02104D1A 0_2_02104D1A
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_0210155C 0_2_0210155C
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_021015D4 0_2_021015D4
PE file contains strange resources
Source: Order-078CNLTD.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Order-078CNLTD.exe, 00000000.00000000.211129834.0000000000447000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameOneiro.exe vs Order-078CNLTD.exe
Source: Order-078CNLTD.exe Binary or memory string: OriginalFilenameOneiro.exe vs Order-078CNLTD.exe
Uses 32bit PE files
Source: Order-078CNLTD.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal96.rans.troj.evad.winEXE@1/0@0/0
Source: Order-078CNLTD.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Order-078CNLTD.exe Virustotal: Detection: 70%
Source: Order-078CNLTD.exe Metadefender: Detection: 25%
Source: Order-078CNLTD.exe ReversingLabs: Detection: 86%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_00401260 pushfd ; retf 0042h 0_2_00401261
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_0041C42A push ss; ret 0_2_0041C431
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_0041A4EE push edi; iretd 0_2_0041A4EF
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_00419E84 push cs; ret 0_2_00419E85
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_0041A372 pushad ; ret 0_2_0041A379
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_0041C12C push ds; ret 0_2_0041C131
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_0041B998 push 8DED9D04h; retf 0_2_0041B99D
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_005424F3 push edx; ret 0_2_00542521
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_00541054 push edx; ret 0_2_00541081
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_00542854 push edx; ret 0_2_00542881
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_00544054 push edx; ret 0_2_00544081
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_00545854 push edx; ret 0_2_00545881
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_00547054 push edx; ret 0_2_00547081
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_00546844 push edx; ret 0_2_00546871
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_00540843 push edx; ret 0_2_00540871
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_00542043 push edx; ret 0_2_00542071
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_00543843 push edx; ret 0_2_00543871
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_00545043 push edx; ret 0_2_00545071
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_00542074 push edx; ret 0_2_005420A1
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_00543874 push edx; ret 0_2_005438A1
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_00545074 push edx; ret 0_2_005450A1
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_00546875 push edx; ret 0_2_005468A1
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_00540878 push edx; ret 0_2_005408A1
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_00546065 push edx; ret 0_2_00546091
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_00543063 push edx; ret 0_2_00543091
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_00541863 push edx; ret 0_2_00541891
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_00544863 push edx; ret 0_2_00544891
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_00540068 push edx; ret 0_2_00540091
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_00546814 push edx; ret 0_2_00546841
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_00543813 push edx; ret 0_2_00543841
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_00542013 push edx; ret 0_2_00542041
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02106A9E 0_2_02106A9E
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_021028E8 0_2_021028E8
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_021028EB 0_2_021028EB
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_021018ED 0_2_021018ED
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_021028EF 0_2_021028EF
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02102913 0_2_02102913
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02102917 0_2_02102917
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_0210291B 0_2_0210291B
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_0210291F 0_2_0210291F
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_0210290F 0_2_0210290F
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02102923 0_2_02102923
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_0210512B 0_2_0210512B
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02105153 0_2_02105153
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02105157 0_2_02105157
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_0210515B 0_2_0210515B
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_0210515F 0_2_0210515F
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_0210514F 0_2_0210514F
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02102637 0_2_02102637
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_0210263B 0_2_0210263B
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_0210263F 0_2_0210263F
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02102653 0_2_02102653
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02102657 0_2_02102657
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_0210265B 0_2_0210265B
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_0210265F 0_2_0210265F
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02102643 0_2_02102643
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02102647 0_2_02102647
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_0210264B 0_2_0210264B
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_0210264F 0_2_0210264F
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02102673 0_2_02102673
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02102663 0_2_02102663
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02102667 0_2_02102667
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_0210266E 0_2_0210266E
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_021026AE 0_2_021026AE
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02104C4F 0_2_02104C4F
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02104D1A 0_2_02104D1A
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_0210155C 0_2_0210155C
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_021015D4 0_2_021015D4
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\Order-078CNLTD.exe RDTSC instruction interceptor: First address: 0000000002105246 second address: 0000000002105246 instructions:
Source: C:\Users\user\Desktop\Order-078CNLTD.exe RDTSC instruction interceptor: First address: 00000000021052BC second address: 00000000021052BC instructions:
Source: C:\Users\user\Desktop\Order-078CNLTD.exe RDTSC instruction interceptor: First address: 00000000021053D3 second address: 00000000021053D3 instructions:
Source: C:\Users\user\Desktop\Order-078CNLTD.exe RDTSC instruction interceptor: First address: 0000000002105066 second address: 0000000002105100 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp cx, AD9Ah 0x0000000f xor edi, edi 0x00000011 mov dword ptr [ebp+000000F8h], 00A95F60h 0x0000001b call 00007F0FCD0B577Ch 0x00000020 call 00007F0FCD0B577Fh 0x00000025 lfence 0x00000028 mov edx, 7FFEFDDCh 0x0000002d add edx, FFFFB1D9h 0x00000033 sub edx, 0000CDF5h 0x00000039 add edx, 00001E54h 0x0000003f mov edx, dword ptr [edx] 0x00000041 lfence 0x00000044 cmp ecx, ebx 0x00000046 cmp ecx, ecx 0x00000048 pushad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\Order-078CNLTD.exe RDTSC instruction interceptor: First address: 0000000002105100 second address: 00000000021050B5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp cx, 9ED2h 0x0000000f ret 0x00000010 mov esi, edx 0x00000012 pushad 0x00000013 rdtsc
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Order-078CNLTD.exe RDTSC instruction interceptor: First address: 0000000002105246 second address: 0000000002105246 instructions:
Source: C:\Users\user\Desktop\Order-078CNLTD.exe RDTSC instruction interceptor: First address: 00000000021052BC second address: 00000000021052BC instructions:
Source: C:\Users\user\Desktop\Order-078CNLTD.exe RDTSC instruction interceptor: First address: 00000000021053D3 second address: 00000000021053D3 instructions:
Source: C:\Users\user\Desktop\Order-078CNLTD.exe RDTSC instruction interceptor: First address: 0000000002105066 second address: 0000000002105100 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp cx, AD9Ah 0x0000000f xor edi, edi 0x00000011 mov dword ptr [ebp+000000F8h], 00A95F60h 0x0000001b call 00007F0FCD0B577Ch 0x00000020 call 00007F0FCD0B577Fh 0x00000025 lfence 0x00000028 mov edx, 7FFEFDDCh 0x0000002d add edx, FFFFB1D9h 0x00000033 sub edx, 0000CDF5h 0x00000039 add edx, 00001E54h 0x0000003f mov edx, dword ptr [edx] 0x00000041 lfence 0x00000044 cmp ecx, ebx 0x00000046 cmp ecx, ecx 0x00000048 pushad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\Order-078CNLTD.exe RDTSC instruction interceptor: First address: 0000000002105100 second address: 00000000021050B5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp cx, 9ED2h 0x0000000f ret 0x00000010 mov esi, edx 0x00000012 pushad 0x00000013 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02101202 rdtsc 0_2_02101202
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02101202 rdtsc 0_2_02101202
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02104A24 mov eax, dword ptr fs:[00000030h] 0_2_02104A24
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02102006 mov eax, dword ptr fs:[00000030h] 0_2_02102006
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_021018ED mov eax, dword ptr fs:[00000030h] 0_2_021018ED
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02104E30 mov eax, dword ptr fs:[00000030h] 0_2_02104E30
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02105633 mov eax, dword ptr fs:[00000030h] 0_2_02105633
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02102E68 mov eax, dword ptr fs:[00000030h] 0_2_02102E68
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: Order-078CNLTD.exe, 00000000.00000002.737431739.0000000000C90000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: Order-078CNLTD.exe, 00000000.00000002.737431739.0000000000C90000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Order-078CNLTD.exe, 00000000.00000002.737431739.0000000000C90000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Order-078CNLTD.exe, 00000000.00000002.737431739.0000000000C90000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Order-078CNLTD.exe Code function: 0_2_02103A54 cpuid 0_2_02103A54
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 433965 Sample: Order-078CNLTD.exe Startdate: 14/06/2021 Architecture: WINDOWS Score: 96 8 Potential malicious icon found 2->8 10 Found malware configuration 2->10 12 Multi AV Scanner detection for submitted file 2->12 14 3 other signatures 2->14 5 Order-078CNLTD.exe 2->5         started        process3 signatures4 16 Contains functionality to detect hardware virtualization (CPUID execution measurement) 5->16 18 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 5->18 20 Found potential dummy code loops (likely to delay analysis) 5->20 22 Tries to detect virtualization through RDTSC time measurements 5->22
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://andreameixueiro.com/TODAY_tRiyv97.bin true
  • Avira URL Cloud: safe
 unknown