Windows Analysis Report uWDCUIgE95.exe

ID:	434896
Product:	CloudBasic
Start time:	16:18:41
Start date:	15.06.2021
Sample:	uWDCUIgE95.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	e6c676ea92d72da7f2d79f8afc468cf5
SHA1:	c52fc4b841927fd73fc018f81c72845e225ad5e7
SHA256:	4a201ce6a206689701654f28999eed6731499cf7702b484cfdacd42d64e739a3
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Name	Type	MD5	SHA1	SHA256

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: uWDCUIgE95.exe

Avira: detected

Found malware configuration

Source: uWDCUIgE95.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "http://theater.expodium.net/wp-content/plugins/m/Host_AvQmpG228.bin, https://meatflesh.com/b/Host_AvQmpG228.bin"}

Multi AV Scanner detection for submitted file

Source: uWDCUIgE95.exe

ReversingLabs: Detection: 23%

Compliance:

Uses 32bit PE files

Source: uWDCUIgE95.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://theater.expodium.net/wp-content/plugins/m/Host_AvQmpG228.bin, https://meatflesh.com/b/Host_AvQmpG228.bin

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: uWDCUIgE95.exe, 00000001.00000002.592279427.000000000065A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Potential malicious icon found

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\uWDCUIgE95.exe

Process Stats: CPU usage > 98%

Detected potential crypto function

Source: C:\Users\user\Desktop\uWDCUIgE95.exe

Code function: 1_2_00405715

1_2_00405715

PE file contains strange resources

Source: uWDCUIgE95.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: uWDCUIgE95.exe, 00000001.00000000.229354305.0000000000424000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameForhaeng.exe vs uWDCUIgE95.exe
Source: uWDCUIgE95.exe, 00000001.00000002.592355988.00000000020F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameForhaeng.exeFE2X2 vs uWDCUIgE95.exe
Source: uWDCUIgE95.exe, 00000001.00000002.592355988.00000000020F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameForhaeng.exeFE2X vs uWDCUIgE95.exe
Source: uWDCUIgE95.exe, 00000001.00000002.592355988.00000000020F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameForhaeng.exeFE2XN vs uWDCUIgE95.exe
Source: uWDCUIgE95.exe, 00000001.00000002.592355988.00000000020F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameForhaeng.exeFE2X+ vs uWDCUIgE95.exe
Source: uWDCUIgE95.exe, 00000001.00000002.592355988.00000000020F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameForhaeng.exeFE2Xe vs uWDCUIgE95.exe
Source: uWDCUIgE95.exe, 00000001.00000002.592355988.00000000020F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameForhaeng.exeFE2XF vs uWDCUIgE95.exe
Source: uWDCUIgE95.exe	Binary or memory string: OriginalFilenameForhaeng.exe vs uWDCUIgE95.exe

Uses 32bit PE files

Source: uWDCUIgE95.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Classification label

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@1/0@0/0

PE file has an executable .text section and no other executable section

Source: uWDCUIgE95.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)

Source: C:\Users\user\Desktop\uWDCUIgE95.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\uWDCUIgE95.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Source: uWDCUIgE95.exe

ReversingLabs: Detection: 23%

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.592412428.00000000021F0000.00000040.00000001.sdmp, type: MEMORY

Yara detected GuLoader

Source: Yara match	File source: uWDCUIgE95.exe, type: SAMPLE
Source: Yara match	File source: 00000001.00000002.592043082.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.229326880.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 1.0.uWDCUIgE95.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.uWDCUIgE95.exe.400000.0.unpack, type: UNPACKEDPE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\uWDCUIgE95.exe	Code function: 1_2_00406055 push ss; retf		1_2_00406057
Source: C:\Users\user\Desktop\uWDCUIgE95.exe	Code function: 1_2_0040906E push es; ret		1_2_0040906F
Source: C:\Users\user\Desktop\uWDCUIgE95.exe	Code function: 1_2_00409419 push ebx; retf		1_2_0040941F
Source: C:\Users\user\Desktop\uWDCUIgE95.exe	Code function: 1_2_0040A039 pushad ; retf		1_2_0040A03B
Source: C:\Users\user\Desktop\uWDCUIgE95.exe	Code function: 1_2_00406C9C push A53AAEE7h; ret		1_2_00406CAD
Source: C:\Users\user\Desktop\uWDCUIgE95.exe	Code function: 1_2_00407566 push es; retf		1_2_00407567
Source: C:\Users\user\Desktop\uWDCUIgE95.exe	Code function: 1_2_004095C4 pushad ; iretd		1_2_004095C5
Source: C:\Users\user\Desktop\uWDCUIgE95.exe	Code function: 1_2_00409181 push cs; ret		1_2_0040918B
Source: C:\Users\user\Desktop\uWDCUIgE95.exe	Code function: 1_2_0040A199 push cs; iretd		1_2_0040A19A
Source: C:\Users\user\Desktop\uWDCUIgE95.exe	Code function: 1_2_00407DAA push es; retf		1_2_00407DAB
Source: C:\Users\user\Desktop\uWDCUIgE95.exe	Code function: 1_2_0040AE6E push ebx; ret		1_2_0040AEDD
Source: C:\Users\user\Desktop\uWDCUIgE95.exe	Code function: 1_2_0040AEDE push es; iretd		1_2_0040AEF3
Source: C:\Users\user\Desktop\uWDCUIgE95.exe	Code function: 1_2_004076E0 push es; retf		1_2_004076E7
Source: C:\Users\user\Desktop\uWDCUIgE95.exe	Code function: 1_2_004092FF push ss; ret		1_2_00409300
Source: C:\Users\user\Desktop\uWDCUIgE95.exe	Code function: 1_2_00402F13 push dword ptr [ebp-1Ch]; ret		1_2_0041B294
Source: C:\Users\user\Desktop\uWDCUIgE95.exe	Code function: 1_2_004047AD push ebp; ret		1_2_004047AE

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\uWDCUIgE95.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\uWDCUIgE95.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\uWDCUIgE95.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\uWDCUIgE95.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\uWDCUIgE95.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\uWDCUIgE95.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\uWDCUIgE95.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\uWDCUIgE95.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\uWDCUIgE95.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\uWDCUIgE95.exe

RDTSC instruction interceptor: First address: 00000000021F2BC6 second address: 00000000021F2BC6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, A1F04A1Bh 0x00000007 add eax, 4C97544Ah 0x0000000c xor eax, F4F56E4Dh 0x00000011 add eax, E58D0FD9h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FAA30938A38h 0x0000001e lfence 0x00000021 mov edx, 602BCEE6h 0x00000026 xor edx, E9EBD20Fh 0x0000002c xor edx, A543F5DAh 0x00000032 xor edx, 537DE927h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 add edi, edx 0x00000044 dec ecx 0x00000045 cmp ecx, 00000000h 0x00000048 jne 00007FAA30938A0Dh 0x0000004a push dx 0x0000004c mov dx, 1DDDh 0x00000050 pop dx 0x00000052 mov dword ptr [ebp+000001FCh], esi 0x00000058 mov esi, ecx 0x0000005a push esi 0x0000005b mov esi, dword ptr [ebp+000001FCh] 0x00000061 call 00007FAA30938A8Fh 0x00000066 call 00007FAA30938A59h 0x0000006b lfence 0x0000006e mov edx, 602BCEE6h 0x00000073 xor edx, E9EBD20Fh 0x00000079 xor edx, A543F5DAh 0x0000007f xor edx, 537DE927h 0x00000085 mov edx, dword ptr [edx] 0x00000087 lfence 0x0000008a ret 0x0000008b mov esi, edx 0x0000008d pushad 0x0000008e rdtsc

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\uWDCUIgE95.exe

Process Stats: CPU usage > 90% for more than 60s

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Source: uWDCUIgE95.exe, 00000001.00000002.592318985.0000000000CE0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: uWDCUIgE95.exe, 00000001.00000002.592318985.0000000000CE0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: uWDCUIgE95.exe, 00000001.00000002.592318985.0000000000CE0000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: uWDCUIgE95.exe, 00000001.00000002.592318985.0000000000CE0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: uWDCUIgE95.exe, 00000001.00000002.592318985.0000000000CE0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock