Windows Analysis Report PRICE-(BPS).exe

Overview

General Information

Sample Name:	PRICE-(BPS).exe
Analysis ID:	434933
MD5:	a75c6c6953a362788c54b36ec7f8dbf2
SHA1:	36c2485f9bec118660d3dcfb60e4b184c01c5d61
SHA256:	19a93cf55d422bf9dcca2ece46b98704248641f86ca7ed2a21d903c724c79a53
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Found potential dummy code loops (likely to delay analysis)

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Detected potential crypto function

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: PRICE-(BPS).exe

Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?cid=4775355831E91CD1&resid=4775355831E91CD1%215798&authkey=ADoN1Lkq2uiLQT4Z"}

Compliance:

Uses 32bit PE files

Source: PRICE-(BPS).exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://onedrive.live.com/download?cid=4775355831E91CD1&resid=4775355831E91CD1%215798&authkey=ADoN1Lkq2uiLQT4Z

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\PRICE-(BPS).exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02175C85 NtAllocateVirtualMemory,	0_2_02175C85
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02175E44 NtAllocateVirtualMemory,	0_2_02175E44
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02175CC6 NtAllocateVirtualMemory,	0_2_02175CC6
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02175CF4 NtAllocateVirtualMemory,	0_2_02175CF4
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02175D57 NtAllocateVirtualMemory,	0_2_02175D57
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02175DB2 NtAllocateVirtualMemory,	0_2_02175DB2
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02175DA1 NtAllocateVirtualMemory,	0_2_02175DA1
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02175DCA NtAllocateVirtualMemory,	0_2_02175DCA

Detected potential crypto function

Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_004123C1	0_2_004123C1
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02175C85	0_2_02175C85
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_0217422C	0_2_0217422C
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02171267	0_2_02171267
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021742BF	0_2_021742BF
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021712BB	0_2_021712BB
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021742E4	0_2_021742E4
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02171300	0_2_02171300
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_0217432F	0_2_0217432F
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02170351	0_2_02170351
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02170377	0_2_02170377
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02170398	0_2_02170398
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_0217438F	0_2_0217438F
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021703D4	0_2_021703D4
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021743D4	0_2_021743D4
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02174804	0_2_02174804
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02174837	0_2_02174837
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_0217282F	0_2_0217282F
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02174028	0_2_02174028
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_0217984C	0_2_0217984C
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02174070	0_2_02174070
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_0217986F	0_2_0217986F
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02179894	0_2_02179894
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02172880	0_2_02172880
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_0217488C	0_2_0217488C
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021798B0	0_2_021798B0
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021710A3	0_2_021710A3
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021740D3	0_2_021740D3
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021728D0	0_2_021728D0
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021798DC	0_2_021798DC
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021748EF	0_2_021748EF
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02179914	0_2_02179914
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02171110	0_2_02171110
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02179907	0_2_02179907
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02174124	0_2_02174124
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02179928	0_2_02179928
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02174950	0_2_02174950
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02179950	0_2_02179950
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02171144	0_2_02171144
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02179963	0_2_02179963
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_0217119D	0_2_0217119D
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02174180	0_2_02174180
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_0217998B	0_2_0217998B
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021799B3	0_2_021799B3
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021741D4	0_2_021741D4
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021711F3	0_2_021711F3
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02171E35	0_2_02171E35
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_0217463A	0_2_0217463A
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02173E5C	0_2_02173E5C
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02171E44	0_2_02171E44
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02171E90	0_2_02171E90
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02178E90	0_2_02178E90
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_0217469B	0_2_0217469B
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02173EAB	0_2_02173EAB
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02178EC8	0_2_02178EC8
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021746E8	0_2_021746E8
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02173F1B	0_2_02173F1B
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_0217473F	0_2_0217473F
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02173F5C	0_2_02173F5C
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02172745	0_2_02172745
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02172787	0_2_02172787
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02173FB3	0_2_02173FB3
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021727D7	0_2_021727D7
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02173C0F	0_2_02173C0F
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02178C0C	0_2_02178C0C
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02174437	0_2_02174437
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02178C28	0_2_02178C28
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02174448	0_2_02174448
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02174494	0_2_02174494
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02178C88	0_2_02178C88
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02175CC6	0_2_02175CC6
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02178CCC	0_2_02178CCC
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021744EC	0_2_021744EC
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02178D17	0_2_02178D17
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02178D5F	0_2_02178D5F
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_0217456B	0_2_0217456B
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021745B8	0_2_021745B8
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021745CD	0_2_021745CD
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02178DF7	0_2_02178DF7
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02173DFC	0_2_02173DFC

PE file contains strange resources

Source: PRICE-(BPS).exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: PRICE-(BPS).exe, 00000000.00000002.580289950.0000000000442000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMazier6.exe vs PRICE-(BPS).exe
Source: PRICE-(BPS).exe, 00000000.00000002.581959451.0000000002150000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs PRICE-(BPS).exe
Source: PRICE-(BPS).exe	Binary or memory string: OriginalFilenameMazier6.exe vs PRICE-(BPS).exe

Uses 32bit PE files

Source: PRICE-(BPS).exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal68.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\PRICE-(BPS).exe

File created: C:\Users\user\AppData\Local\Temp\~DF583CFE3EF48CF414.TMP

Jump to behavior

Source: PRICE-(BPS).exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PRICE-(BPS).exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\PRICE-(BPS).exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: PRICE-(BPS).exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.201011246.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.580142915.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.0.PRICE-(BPS).exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PRICE-(BPS).exe.400000.0.unpack, type: UNPACKEDPE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_0040A678 pushfd ; retf	0_2_0040A6A0
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02175A90 push edx; retf	0_2_02175AB0
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_0217353A push 39000002h; ret	0_2_0217354A

Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02172745	0_2_02172745
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02178C0C	0_2_02178C0C
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02178C28	0_2_02178C28
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02178C88	0_2_02178C88
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02178CCC	0_2_02178CCC
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02178D17	0_2_02178D17

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\PRICE-(BPS).exe

Code function: 0_2_02175C85 rdtsc

0_2_02175C85

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\PRICE-(BPS).exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\PRICE-(BPS).exe

Code function: 0_2_02175C85 rdtsc

0_2_02175C85

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02178289 mov eax, dword ptr fs:[00000030h]	0_2_02178289
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02178C0C mov eax, dword ptr fs:[00000030h]	0_2_02178C0C
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02178C28 mov eax, dword ptr fs:[00000030h]	0_2_02178C28
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02175574 mov eax, dword ptr fs:[00000030h]	0_2_02175574
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02177DB0 mov eax, dword ptr fs:[00000030h]	0_2_02177DB0

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: PRICE-(BPS).exe, 00000000.00000002.580883020.0000000000C60000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: PRICE-(BPS).exe, 00000000.00000002.580883020.0000000000C60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: PRICE-(BPS).exe, 00000000.00000002.580883020.0000000000C60000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: PRICE-(BPS).exe, 00000000.00000002.580883020.0000000000C60000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\PRICE-(BPS).exe

Code function: 0_2_021724CA cpuid

0_2_021724CA

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://onedrive.live.com/download?cid=4775355831E91CD1&resid=4775355831E91CD1%215798&authkey=ADoN1Lkq2uiLQT4Z	false		high

ID:	434933
Product:	CloudBasic
Start time:	16:54:29
Start date:	15.06.2021
Sample:	PRICE-(BPS).exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	a75c6c6953a362788c54b36ec7f8dbf2
SHA1:	36c2485f9bec118660d3dcfb60e4b184c01c5d61
SHA256:	19a93cf55d422bf9dcca2ece46b98704248641f86ca7ed2a21d903c724c79a53
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Windows Analysis Report PRICE-(BPS).exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map

Contacted URLs