Windows Analysis Report URGENT SWIFT COPY FOR JUNE 14 2021.exe

Overview

General Information

Sample Name: URGENT SWIFT COPY FOR JUNE 14 2021.exe
Analysis ID: 434445
MD5: 13fe879d4b0acd6b10e9e4db7fcf3a49
SHA1: c513f61b28a5602768fc3a07bea6efe0b743dc26
SHA256: f3a520aa6296de59468c3a38d45660091097c056b7249a66d3443f3bd4ecf997
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Potentially malicious time measurement code found
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.575162168.00000000007D0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?cid=BAC03012EC7BD279&resid=BAC03012EC7BD279%21114&authkey=AETxWDW7LlqQvxw"}
Multi AV Scanner detection for submitted file
Source: URGENT SWIFT COPY FOR JUNE 14 2021.exe ReversingLabs: Detection: 10%

Compliance:

barindex
Uses 32bit PE files
Source: URGENT SWIFT COPY FOR JUNE 14 2021.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://onedrive.live.com/download?cid=BAC03012EC7BD279&resid=BAC03012EC7BD279%21114&authkey=AETxWDW7LlqQvxw

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: URGENT SWIFT COPY FOR JUNE 14 2021.exe, 00000000.00000002.575222704.00000000007EA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D5977 NtAllocateVirtualMemory, 0_2_007D5977
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D5A5A NtAllocateVirtualMemory, 0_2_007D5A5A
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D5A0F NtAllocateVirtualMemory, 0_2_007D5A0F
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D5B02 NtAllocateVirtualMemory, 0_2_007D5B02
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D5B81 NtAllocateVirtualMemory, 0_2_007D5B81
Detected potential crypto function
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_00412160 0_2_00412160
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D5977 0_2_007D5977
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D407B 0_2_007D407B
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D1470 0_2_007D1470
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D1463 0_2_007D1463
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3451 0_2_007D3451
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D0C50 0_2_007D0C50
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D443D 0_2_007D443D
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D343B 0_2_007D343B
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D102F 0_2_007D102F
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D402E 0_2_007D402E
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3C1D 0_2_007D3C1D
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D44FA 0_2_007D44FA
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D0CF4 0_2_007D0CF4
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D10F3 0_2_007D10F3
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D0CDC 0_2_007D0CDC
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D14BB 0_2_007D14BB
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D0CAD 0_2_007D0CAD
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D34AB 0_2_007D34AB
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D4090 0_2_007D4090
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D1092 0_2_007D1092
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D448D 0_2_007D448D
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3C83 0_2_007D3C83
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D4168 0_2_007D4168
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D296A 0_2_007D296A
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3D51 0_2_007D3D51
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D254C 0_2_007D254C
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D0D35 0_2_007D0D35
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D1535 0_2_007D1535
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D2533 0_2_007D2533
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D452B 0_2_007D452B
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D410B 0_2_007D410B
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3D01 0_2_007D3D01
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D0D00 0_2_007D0D00
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D1500 0_2_007D1500
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D0DFB 0_2_007D0DFB
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3DF4 0_2_007D3DF4
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D41F4 0_2_007D41F4
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D95F1 0_2_007D95F1
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D29D3 0_2_007D29D3
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D19C0 0_2_007D19C0
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D45BD 0_2_007D45BD
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D15BE 0_2_007D15BE
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D19AE 0_2_007D19AE
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D41A4 0_2_007D41A4
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3DA3 0_2_007D3DA3
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D259E 0_2_007D259E
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D0D8F 0_2_007D0D8F
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D458F 0_2_007D458F
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D158E 0_2_007D158E
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D9674 0_2_007D9674
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D2A70 0_2_007D2A70
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D0E62 0_2_007D0E62
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D4259 0_2_007D4259
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3E50 0_2_007D3E50
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D963B 0_2_007D963B
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D2A2D 0_2_007D2A2D
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D9621 0_2_007D9621
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D1620 0_2_007D1620
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D461C 0_2_007D461C
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D5A0F 0_2_007D5A0F
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D9608 0_2_007D9608
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D2600 0_2_007D2600
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D96FD 0_2_007D96FD
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3EF4 0_2_007D3EF4
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D2ADE 0_2_007D2ADE
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3AD0 0_2_007D3AD0
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3AC9 0_2_007D3AC9
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D96CB 0_2_007D96CB
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D0EAC 0_2_007D0EAC
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3EA1 0_2_007D3EA1
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D9688 0_2_007D9688
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3F78 0_2_007D3F78
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D576E 0_2_007D576E
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3B64 0_2_007D3B64
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D0F67 0_2_007D0F67
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D4352 0_2_007D4352
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3F48 0_2_007D3F48
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D2B32 0_2_007D2B32
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D9717 0_2_007D9717
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3B0F 0_2_007D3B0F
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D4308 0_2_007D4308
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D0BFC 0_2_007D0BFC
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D0FCA 0_2_007D0FCA
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3FC3 0_2_007D3FC3
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D0BBC 0_2_007D0BBC
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3BBA 0_2_007D3BBA
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D43A3 0_2_007D43A3
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D2B9E 0_2_007D2B9E
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D0B95 0_2_007D0B95
PE file contains strange resources
Source: URGENT SWIFT COPY FOR JUNE 14 2021.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: URGENT SWIFT COPY FOR JUNE 14 2021.exe, 00000000.00000002.574379251.0000000000442000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSerails4.exe vs URGENT SWIFT COPY FOR JUNE 14 2021.exe
Source: URGENT SWIFT COPY FOR JUNE 14 2021.exe, 00000000.00000002.575132852.00000000007C0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs URGENT SWIFT COPY FOR JUNE 14 2021.exe
Source: URGENT SWIFT COPY FOR JUNE 14 2021.exe Binary or memory string: OriginalFilenameSerails4.exe vs URGENT SWIFT COPY FOR JUNE 14 2021.exe
Uses 32bit PE files
Source: URGENT SWIFT COPY FOR JUNE 14 2021.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal88.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe File created: C:\Users\user\AppData\Local\Temp\~DF5BE9B5AE29950903.TMP Jump to behavior
Source: URGENT SWIFT COPY FOR JUNE 14 2021.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: URGENT SWIFT COPY FOR JUNE 14 2021.exe ReversingLabs: Detection: 10%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.575162168.00000000007D0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_00409F9B push esp; iretd 0_2_0040A018
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D8C2F push eax; ret 0_2_007D8C30
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D1FD9 push FFFFFFF6h; ret 0_2_007D1FF7
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D6BB1 push cs; retf 0_2_007D6BBD
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D407B 0_2_007D407B
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D1470 0_2_007D1470
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D1463 0_2_007D1463
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D402E 0_2_007D402E
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3C1D 0_2_007D3C1D
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D14BB 0_2_007D14BB
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D4090 0_2_007D4090
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3C83 0_2_007D3C83
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D296A 0_2_007D296A
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3D51 0_2_007D3D51
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D1535 0_2_007D1535
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3D01 0_2_007D3D01
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D1500 0_2_007D1500
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3DF4 0_2_007D3DF4
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D29D3 0_2_007D29D3
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D15BE 0_2_007D15BE
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3DA3 0_2_007D3DA3
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D158E 0_2_007D158E
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D2A70 0_2_007D2A70
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3E50 0_2_007D3E50
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D2A2D 0_2_007D2A2D
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3EF4 0_2_007D3EF4
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D2ADE 0_2_007D2ADE
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3AD0 0_2_007D3AD0
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3AC9 0_2_007D3AC9
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3EA1 0_2_007D3EA1
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3F78 0_2_007D3F78
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3B64 0_2_007D3B64
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3F48 0_2_007D3F48
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3B0F 0_2_007D3B0F
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3FC3 0_2_007D3FC3
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3BBA 0_2_007D3BBA
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D0B95 0_2_007D0B95
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe RDTSC instruction interceptor: First address: 00000000007D5B13 second address: 00000000007D5B13 instructions:
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe RDTSC instruction interceptor: First address: 00000000007D5B13 second address: 00000000007D5B13 instructions:
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe RDTSC instruction interceptor: First address: 00000000007D7BBF second address: 00000000007D7BBF instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov byte ptr [ebx], al 0x00000005 test cl, FFFFFF8Ch 0x00000008 inc ebx 0x00000009 inc edx 0x0000000a dec ecx 0x0000000b test ecx, ecx 0x0000000d jne 00007FE24CE437DBh 0x0000000f mov al, byte ptr [edx] 0x00000011 pushad 0x00000012 mov esi, 00000046h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe RDTSC instruction interceptor: First address: 00000000007D5C53 second address: 00000000007D5C9E instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b sub edi, C59F85C6h 0x00000011 test ecx, 1D95ACF7h 0x00000017 xor edi, 41F17E9Fh 0x0000001d jmp 00007FE24C3A1002h 0x0000001f cmp dl, FFFFFFDBh 0x00000022 test dh, dh 0x00000024 push edi 0x00000025 cmp eax, ecx 0x00000027 mov edi, dword ptr [ebp+0000027Fh] 0x0000002d test ch, dh 0x0000002f cmp bl, al 0x00000031 push dword ptr [ebp+00000140h] 0x00000037 pushad 0x00000038 lfence 0x0000003b rdtsc
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe RDTSC instruction interceptor: First address: 00000000007D53A0 second address: 00000000007D53A0 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 2022209Bh 0x00000007 xor eax, 80859C35h 0x0000000c xor eax, 9F31FB3Eh 0x00000011 xor eax, 3F964791h 0x00000016 cpuid 0x00000018 jmp 00007FE24CE43802h 0x0000001a cmp bx, cx 0x0000001d popad 0x0000001e test cl, bl 0x00000020 call 00007FE24CE437FDh 0x00000025 lfence 0x00000028 mov edx, B4C5CB13h 0x0000002d xor edx, 7102A7F7h 0x00000033 xor edx, 1935794Bh 0x00000039 xor edx, A30C15BBh 0x0000003f mov edx, dword ptr [edx] 0x00000041 lfence 0x00000044 ret 0x00000045 cmp di, FA17h 0x0000004a sub edx, esi 0x0000004c ret 0x0000004d test dx, 46E5h 0x00000052 pop ecx 0x00000053 add edi, edx 0x00000055 test cx, ax 0x00000058 dec ecx 0x00000059 cmp ecx, 00000000h 0x0000005c jne 00007FE24CE437AFh 0x0000005e jmp 00007FE24CE43806h 0x00000060 test eax, edx 0x00000062 mov dword ptr [ebp+0000025Eh], edi 0x00000068 mov edi, ecx 0x0000006a cmp ax, dx 0x0000006d push edi 0x0000006e test ax, bx 0x00000071 mov edi, dword ptr [ebp+0000025Eh] 0x00000077 call 00007FE24CE4382Bh 0x0000007c call 00007FE24CE43835h 0x00000081 lfence 0x00000084 mov edx, B4C5CB13h 0x00000089 xor edx, 7102A7F7h 0x0000008f xor edx, 1935794Bh 0x00000095 xor edx, A30C15BBh 0x0000009b mov edx, dword ptr [edx] 0x0000009d lfence 0x000000a0 ret 0x000000a1 mov esi, edx 0x000000a3 pushad 0x000000a4 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D407B rdtsc 0_2_007D407B
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Process Stats: CPU usage > 90% for more than 60s
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D2A70 Start: 007D2BFF End: 007D2B0A 0_2_007D2A70
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D2A2D Start: 007D2BFF End: 007D2B0A 0_2_007D2A2D
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D2ADE Start: 007D2BFF End: 007D2B0A 0_2_007D2ADE
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D407B rdtsc 0_2_007D407B
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D3451 mov eax, dword ptr fs:[00000030h] 0_2_007D3451
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D343B mov eax, dword ptr fs:[00000030h] 0_2_007D343B
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D296A mov eax, dword ptr fs:[00000030h] 0_2_007D296A
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D526B mov eax, dword ptr fs:[00000030h] 0_2_007D526B
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D7F7D mov eax, dword ptr fs:[00000030h] 0_2_007D7F7D
Source: C:\Users\user\Desktop\URGENT SWIFT COPY FOR JUNE 14 2021.exe Code function: 0_2_007D7BD1 mov eax, dword ptr fs:[00000030h] 0_2_007D7BD1
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: URGENT SWIFT COPY FOR JUNE 14 2021.exe, 00000000.00000002.575438310.0000000000D70000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: URGENT SWIFT COPY FOR JUNE 14 2021.exe, 00000000.00000002.575438310.0000000000D70000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: URGENT SWIFT COPY FOR JUNE 14 2021.exe, 00000000.00000002.575438310.0000000000D70000.00000002.00000001.sdmp Binary or memory string: Progman
Source: URGENT SWIFT COPY FOR JUNE 14 2021.exe, 00000000.00000002.575438310.0000000000D70000.00000002.00000001.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 434445 Sample: URGENT SWIFT COPY FOR  JUNE... Startdate: 15/06/2021 Architecture: WINDOWS Score: 88 7 Found malware configuration 2->7 9 Multi AV Scanner detection for submitted file 2->9 11 Yara detected GuLoader 2->11 13 6 other signatures 2->13 5 URGENT SWIFT COPY FOR  JUNE 14 2021.exe 1 2->5         started        process3
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://onedrive.live.com/download?cid=BAC03012EC7BD279&resid=BAC03012EC7BD279%21114&authkey=AETxWDW7LlqQvxw false
    		high