Source: uWDCUIgE95.exe |
Malware Configuration Extractor: GuLoader {"Payload URL": "http://theater.expodium.net/wp-content/plugins/m/Host_AvQmpG228.bin, https://meatflesh.com/b/Host_AvQmpG228.bin"} |
Source: uWDCUIgE95.exe |
ReversingLabs: Detection: 23% |
Source: uWDCUIgE95.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: http://theater.expodium.net/wp-content/plugins/m/Host_AvQmpG228.bin, https://meatflesh.com/b/Host_AvQmpG228.bin |
Source: uWDCUIgE95.exe, 00000001.00000002.592279427.000000000065A000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: initial sample |
Icon embedded in PE file: bad icon match: 20047c7c70f0e004 |
Source: C:\Users\user\Desktop\uWDCUIgE95.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\uWDCUIgE95.exe |
Code function: 1_2_00405715 |
1_2_00405715 |
Source: uWDCUIgE95.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: uWDCUIgE95.exe, 00000001.00000000.229354305.0000000000424000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameForhaeng.exe vs uWDCUIgE95.exe |
Source: uWDCUIgE95.exe, 00000001.00000002.592355988.00000000020F0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameForhaeng.exeFE2X2 vs uWDCUIgE95.exe |
Source: uWDCUIgE95.exe, 00000001.00000002.592355988.00000000020F0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameForhaeng.exeFE2X vs uWDCUIgE95.exe |
Source: uWDCUIgE95.exe, 00000001.00000002.592355988.00000000020F0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameForhaeng.exeFE2XN vs uWDCUIgE95.exe |
Source: uWDCUIgE95.exe, 00000001.00000002.592355988.00000000020F0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameForhaeng.exeFE2X+ vs uWDCUIgE95.exe |
Source: uWDCUIgE95.exe, 00000001.00000002.592355988.00000000020F0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameForhaeng.exeFE2Xe vs uWDCUIgE95.exe |
Source: uWDCUIgE95.exe, 00000001.00000002.592355988.00000000020F0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameForhaeng.exeFE2XF vs uWDCUIgE95.exe |
Source: uWDCUIgE95.exe |
Binary or memory string: OriginalFilenameForhaeng.exe vs uWDCUIgE95.exe |
Source: uWDCUIgE95.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal100.rans.troj.evad.winEXE@1/0@0/0 |
Source: uWDCUIgE95.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\uWDCUIgE95.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\uWDCUIgE95.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: uWDCUIgE95.exe |
ReversingLabs: Detection: 23% |
Source: Yara match |
File source: 00000001.00000002.592412428.00000000021F0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: uWDCUIgE95.exe, type: SAMPLE |
Source: Yara match |
File source: 00000001.00000002.592043082.0000000000401000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000000.229326880.0000000000401000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 1.0.uWDCUIgE95.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.uWDCUIgE95.exe.400000.0.unpack, type: UNPACKEDPE |
Source: C:\Users\user\Desktop\uWDCUIgE95.exe |
Code function: 1_2_00406055 push ss; retf |
1_2_00406057 |
Source: C:\Users\user\Desktop\uWDCUIgE95.exe |
Code function: 1_2_0040906E push es; ret |
1_2_0040906F |
Source: C:\Users\user\Desktop\uWDCUIgE95.exe |
Code function: 1_2_00409419 push ebx; retf |
1_2_0040941F |
Source: C:\Users\user\Desktop\uWDCUIgE95.exe |
Code function: 1_2_0040A039 pushad ; retf |
1_2_0040A03B |
Source: C:\Users\user\Desktop\uWDCUIgE95.exe |
Code function: 1_2_00406C9C push A53AAEE7h; ret |
1_2_00406CAD |
Source: C:\Users\user\Desktop\uWDCUIgE95.exe |
Code function: 1_2_00407566 push es; retf |
1_2_00407567 |
Source: C:\Users\user\Desktop\uWDCUIgE95.exe |
Code function: 1_2_004095C4 pushad ; iretd |
1_2_004095C5 |
Source: C:\Users\user\Desktop\uWDCUIgE95.exe |
Code function: 1_2_00409181 push cs; ret |
1_2_0040918B |
Source: C:\Users\user\Desktop\uWDCUIgE95.exe |
Code function: 1_2_0040A199 push cs; iretd |
1_2_0040A19A |
Source: C:\Users\user\Desktop\uWDCUIgE95.exe |
Code function: 1_2_00407DAA push es; retf |
1_2_00407DAB |
Source: C:\Users\user\Desktop\uWDCUIgE95.exe |
Code function: 1_2_0040AE6E push ebx; ret |
1_2_0040AEDD |
Source: C:\Users\user\Desktop\uWDCUIgE95.exe |
Code function: 1_2_0040AEDE push es; iretd |
1_2_0040AEF3 |
Source: C:\Users\user\Desktop\uWDCUIgE95.exe |
Code function: 1_2_004076E0 push es; retf |
1_2_004076E7 |
Source: C:\Users\user\Desktop\uWDCUIgE95.exe |
Code function: 1_2_004092FF push ss; ret |
1_2_00409300 |
Source: C:\Users\user\Desktop\uWDCUIgE95.exe |
Code function: 1_2_00402F13 push dword ptr [ebp-1Ch]; ret |
1_2_0041B294 |
Source: C:\Users\user\Desktop\uWDCUIgE95.exe |
Code function: 1_2_004047AD push ebp; ret |
1_2_004047AE |
Source: C:\Users\user\Desktop\uWDCUIgE95.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\uWDCUIgE95.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\uWDCUIgE95.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\uWDCUIgE95.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\uWDCUIgE95.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\uWDCUIgE95.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\uWDCUIgE95.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\uWDCUIgE95.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\uWDCUIgE95.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\uWDCUIgE95.exe |
RDTSC instruction interceptor: First address: 00000000021F2BC6 second address: 00000000021F2BC6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, A1F04A1Bh 0x00000007 add eax, 4C97544Ah 0x0000000c xor eax, F4F56E4Dh 0x00000011 add eax, E58D0FD9h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FAA30938A38h 0x0000001e lfence 0x00000021 mov edx, 602BCEE6h 0x00000026 xor edx, E9EBD20Fh 0x0000002c xor edx, A543F5DAh 0x00000032 xor edx, 537DE927h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 add edi, edx 0x00000044 dec ecx 0x00000045 cmp ecx, 00000000h 0x00000048 jne 00007FAA30938A0Dh 0x0000004a push dx 0x0000004c mov dx, 1DDDh 0x00000050 pop dx 0x00000052 mov dword ptr [ebp+000001FCh], esi 0x00000058 mov esi, ecx 0x0000005a push esi 0x0000005b mov esi, dword ptr [ebp+000001FCh] 0x00000061 call 00007FAA30938A8Fh 0x00000066 call 00007FAA30938A59h 0x0000006b lfence 0x0000006e mov edx, 602BCEE6h 0x00000073 xor edx, E9EBD20Fh 0x00000079 xor edx, A543F5DAh 0x0000007f xor edx, 537DE927h 0x00000085 mov edx, dword ptr [edx] 0x00000087 lfence 0x0000008a ret 0x0000008b mov esi, edx 0x0000008d pushad 0x0000008e rdtsc |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\uWDCUIgE95.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: uWDCUIgE95.exe, 00000001.00000002.592318985.0000000000CE0000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: uWDCUIgE95.exe, 00000001.00000002.592318985.0000000000CE0000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: uWDCUIgE95.exe, 00000001.00000002.592318985.0000000000CE0000.00000002.00000001.sdmp |
Binary or memory string: SProgram Managerl |
Source: uWDCUIgE95.exe, 00000001.00000002.592318985.0000000000CE0000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd, |
Source: uWDCUIgE95.exe, 00000001.00000002.592318985.0000000000CE0000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |