Source: https://bara-seck.com/bin_NpuMLUuCfC62.bin, http://farmersschool.ge/bin_NpuMLUuCfC62.bin |
Avira URL Cloud: Label: malware |
Source: EXErprijFY.exe |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://bara-seck.com/bin_NpuMLUuCfC62.bin, http://farmersschool.ge/bin_NpuMLUuCfC62.bin"} |
Source: EXErprijFY.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://bara-seck.com/bin_NpuMLUuCfC62.bin, http://farmersschool.ge/bin_NpuMLUuCfC62.bin |
Source: EXErprijFY.exe, 00000000.00000002.1164512673.00000000006FA000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: initial sample |
Icon embedded in PE file: bad icon match: 20047c7c70f0e004 |
Source: C:\Users\user\Desktop\EXErprijFY.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\EXErprijFY.exe |
Code function: 0_2_004018A4 |
0_2_004018A4 |
Source: C:\Users\user\Desktop\EXErprijFY.exe |
Code function: 0_2_00405732 |
0_2_00405732 |
Source: EXErprijFY.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: EXErprijFY.exe, 00000000.00000000.641912573.0000000000424000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenamepetered.exe vs EXErprijFY.exe |
Source: EXErprijFY.exe, 00000000.00000002.1164581076.00000000020E0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenamepetered.exeFE2X2 vs EXErprijFY.exe |
Source: EXErprijFY.exe, 00000000.00000002.1164581076.00000000020E0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenamepetered.exeFE2X vs EXErprijFY.exe |
Source: EXErprijFY.exe, 00000000.00000002.1164581076.00000000020E0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenamepetered.exeFE2XpJ4 vs EXErprijFY.exe |
Source: EXErprijFY.exe, 00000000.00000002.1164581076.00000000020E0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenamepetered.exeFE2X_I vs EXErprijFY.exe |
Source: EXErprijFY.exe, 00000000.00000002.1164581076.00000000020E0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenamepetered.exeFE2X>N~ vs EXErprijFY.exe |
Source: EXErprijFY.exe, 00000000.00000002.1164581076.00000000020E0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenamepetered.exeFE2XxO< vs EXErprijFY.exe |
Source: EXErprijFY.exe, 00000000.00000002.1164564990.00000000020A0000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs EXErprijFY.exe |
Source: EXErprijFY.exe |
Binary or memory string: OriginalFilenamepetered.exe vs EXErprijFY.exe |
Source: EXErprijFY.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal100.rans.troj.evad.winEXE@1/0@0/0 |
Source: EXErprijFY.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\EXErprijFY.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\EXErprijFY.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: Yara match |
File source: 00000000.00000002.1164652170.0000000002230000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: EXErprijFY.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.EXErprijFY.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.EXErprijFY.exe.400000.0.unpack, type: UNPACKEDPE |
Source: C:\Users\user\Desktop\EXErprijFY.exe |
Code function: 0_2_004059CC pushfd ; iretd |
0_2_004059D5 |
Source: C:\Users\user\Desktop\EXErprijFY.exe |
Code function: 0_2_00406199 push ss; ret |
0_2_004062BA |
Source: C:\Users\user\Desktop\EXErprijFY.exe |
Code function: 0_2_00407E0A push ecx; iretd |
0_2_00407E0C |
Source: C:\Users\user\Desktop\EXErprijFY.exe |
Code function: 0_2_004062BD push ss; ret |
0_2_004062BA |
Source: C:\Users\user\Desktop\EXErprijFY.exe |
Code function: 0_2_00402F0B push dword ptr [ebp-1Ch]; ret |
0_2_0041B724 |
Source: C:\Users\user\Desktop\EXErprijFY.exe |
Code function: 0_2_00409B16 push ecx; retf |
0_2_00409B23 |
Source: C:\Users\user\Desktop\EXErprijFY.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\EXErprijFY.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\EXErprijFY.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\EXErprijFY.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\EXErprijFY.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\EXErprijFY.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\EXErprijFY.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\EXErprijFY.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\EXErprijFY.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\EXErprijFY.exe |
RDTSC instruction interceptor: First address: 0000000002237154 second address: 0000000002237154 instructions: |
Source: C:\Users\user\Desktop\EXErprijFY.exe |
RDTSC instruction interceptor: First address: 000000000223A078 second address: 000000000223A078 instructions: |
Source: C:\Users\user\Desktop\EXErprijFY.exe |
RDTSC instruction interceptor: First address: 0000000002237154 second address: 0000000002237154 instructions: |
Source: C:\Users\user\Desktop\EXErprijFY.exe |
RDTSC instruction interceptor: First address: 000000000223A021 second address: 000000000223A078 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 53673179h 0x00000007 sub eax, 2CF91FC3h 0x0000000c xor eax, 4DAF12BEh 0x00000011 sub eax, 6BC10307h 0x00000016 cpuid 0x00000018 jmp 00007F311485C18Eh 0x0000001a pushad 0x0000001b rdtsc |
Source: C:\Users\user\Desktop\EXErprijFY.exe |
RDTSC instruction interceptor: First address: 000000000223A078 second address: 000000000223A078 instructions: |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\EXErprijFY.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: EXErprijFY.exe, 00000000.00000002.1164536037.0000000000C80000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: EXErprijFY.exe, 00000000.00000002.1164536037.0000000000C80000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: EXErprijFY.exe, 00000000.00000002.1164536037.0000000000C80000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: EXErprijFY.exe, 00000000.00000002.1164536037.0000000000C80000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |