Windows Analysis Report Cailbers22LongRiflorderlist.exe

ID:	434934
Product:	CloudBasic
Start time:	16:55:18
Start date:	15.06.2021
Sample:	Cailbers22LongRiflorderlist.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	da7e577b39dc1882d8c2f5819ead22e3
SHA1:	4c7ff9565349068f73d96f48423ee5ae4f832fa6
SHA256:	66e4fb4c25d6f26bd7322782642f7b3ffd5747ca736e64868f8a3c76467bf8c0
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Name	Type	MD5	SHA1	SHA256

AV Detection:

Found malware configuration

Source: 00000000.00000002.700409713.0000000002220000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?cid=CF699836D17ED884&resid=CF699836D17ED884%21110&authkey=AB6GufhtYFcXJ00P*"}

Compliance:

Uses 32bit PE files

Source: Cailbers22LongRiflorderlist.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://onedrive.live.com/download?cid=CF699836D17ED884&resid=CF699836D17ED884%21110&authkey=AB6GufhtYFcXJ00P*

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: Cailbers22LongRiflorderlist.exe, 00000000.00000002.699942002.000000000077A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Cailbers22LongRiflorderlist.exe

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02225909 NtAllocateVirtualMemory,		0_2_02225909
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02225A23 NtAllocateVirtualMemory,		0_2_02225A23
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02225A6C NtAllocateVirtualMemory,		0_2_02225A6C
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02225AC6 NtAllocateVirtualMemory,		0_2_02225AC6
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02225B2C NtAllocateVirtualMemory,		0_2_02225B2C
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02225B4F NtAllocateVirtualMemory,		0_2_02225B4F
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02225938 NtAllocateVirtualMemory,		0_2_02225938
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02225998 NtAllocateVirtualMemory,		0_2_02225998
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_022259F0 NtAllocateVirtualMemory,		0_2_022259F0

Detected potential crypto function

Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_00412054		0_2_00412054
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02225909		0_2_02225909
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02222A24		0_2_02222A24
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_0222263A		0_2_0222263A
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02221216		0_2_02221216
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02223E1C		0_2_02223E1C
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02223E64		0_2_02223E64
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02223A6A		0_2_02223A6A
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02222A68		0_2_02222A68
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_0222127C		0_2_0222127C
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02224248		0_2_02224248
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02227E5E		0_2_02227E5E
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02224284		0_2_02224284
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02222688		0_2_02222688
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02223A93		0_2_02223A93
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02223A9C		0_2_02223A9C
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02223AE8		0_2_02223AE8
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_022212C2		0_2_022212C2
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02222AC0		0_2_02222AC0
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02223EC0		0_2_02223EC0
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_022256C8		0_2_022256C8
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_022242D0		0_2_022242D0
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02220ED8		0_2_02220ED8
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02220F32		0_2_02220F32
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02224338		0_2_02224338
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02223F0A		0_2_02223F0A
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02221308		0_2_02221308
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02222B1A		0_2_02222B1A
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02223B64		0_2_02223B64
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02223B44		0_2_02223B44
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02220F50		0_2_02220F50
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02223F50		0_2_02223F50
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_022267A1		0_2_022267A1
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_022243A4		0_2_022243A4
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02222BBA		0_2_02222BBA
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02223B88		0_2_02223B88
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02222B9A		0_2_02222B9A
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02223F98		0_2_02223F98
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02223FE1		0_2_02223FE1
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02223BEC		0_2_02223BEC
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02220FC4		0_2_02220FC4
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_0222402C		0_2_0222402C
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02223C34		0_2_02223C34
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02222C35		0_2_02222C35
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02221014		0_2_02221014
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02223467		0_2_02223467
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02221068		0_2_02221068
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02223470		0_2_02223470
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_0222207E		0_2_0222207E
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02222C4E		0_2_02222C4E
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02224454		0_2_02224454
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_022210AC		0_2_022210AC
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_022244B0		0_2_022244B0
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_022294B1		0_2_022294B1
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_022234B4		0_2_022234B4
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02223C81		0_2_02223C81
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02222C92		0_2_02222C92
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_0222949A		0_2_0222949A
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02223899		0_2_02223899
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_022294E4		0_2_022294E4
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_022244EA		0_2_022244EA
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_022210F0		0_2_022210F0
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_022294C6		0_2_022294C6
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02222CDA		0_2_02222CDA
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02223CDA		0_2_02223CDA
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02222D2D		0_2_02222D2D
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02223D32		0_2_02223D32
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_0222253B		0_2_0222253B
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02225938		0_2_02225938
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02224102		0_2_02224102
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_0222350A		0_2_0222350A
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02223170		0_2_02223170
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02229578		0_2_02229578
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02224140		0_2_02224140
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02224546		0_2_02224546
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02222544		0_2_02222544
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_022225A9		0_2_022225A9
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_022241AC		0_2_022241AC
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_022219BB		0_2_022219BB
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02221180		0_2_02221180
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02222981		0_2_02222981
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02223D86		0_2_02223D86
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02222984		0_2_02222984
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02229590		0_2_02229590
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02225998		0_2_02225998
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_022225F0		0_2_022225F0
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_022245F4		0_2_022245F4
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_022229C2		0_2_022229C2
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02223DC6		0_2_02223DC6
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_022211CC		0_2_022211CC
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_022241D8		0_2_022241D8

PE file contains strange resources

Source: Cailbers22LongRiflorderlist.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: Cailbers22LongRiflorderlist.exe, 00000000.00000002.699405710.0000000000442000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameNonamorousness5.exe vs Cailbers22LongRiflorderlist.exe
Source: Cailbers22LongRiflorderlist.exe, 00000000.00000002.700365167.0000000002210000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Cailbers22LongRiflorderlist.exe
Source: Cailbers22LongRiflorderlist.exe	Binary or memory string: OriginalFilenameNonamorousness5.exe vs Cailbers22LongRiflorderlist.exe

Uses 32bit PE files

Source: Cailbers22LongRiflorderlist.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Classification label

Source: classification engine

Classification label: mal80.troj.evad.winEXE@1/0@0/0

Creates temporary files

Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe

File created: C:\Users\user\AppData\Local\Temp\~DFEDBE4090EBA1C181.TMP

Jump to behavior

PE file has an executable .text section and no other executable section

Source: Cailbers22LongRiflorderlist.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)

Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: Cailbers22LongRiflorderlist.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.329521263.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.697011620.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.Cailbers22LongRiflorderlist.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Cailbers22LongRiflorderlist.exe.400000.0.unpack, type: UNPACKEDPE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_0040A5BD push esp; retf		0_2_0040A5D9
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02228AED push eax; ret		0_2_02228AEE

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_022294B1		0_2_022294B1
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_0222949A		0_2_0222949A
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_022294E4		0_2_022294E4
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_022294FE		0_2_022294FE
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_022294C6		0_2_022294C6
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02229532		0_2_02229532
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_0222951C		0_2_0222951C
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02229560		0_2_02229560
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02229578		0_2_02229578
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02222981		0_2_02222981
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02229590		0_2_02229590

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe

RDTSC instruction interceptor: First address: 0000000002229837 second address: 0000000002229837 instructions:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	RDTSC instruction interceptor: First address: 0000000002229837 second address: 0000000002229837 instructions:
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	RDTSC instruction interceptor: First address: 00000000022252B7 second address: 0000000002225356 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov ecx, 39CEE144h 0x00000010 xor ecx, 97ACFF28h 0x00000016 xor ecx, 6735B1C6h 0x0000001c jmp 00007FBB14A12776h 0x0000001e cmp ch, dh 0x00000020 sub ecx, C8AE504Ah 0x00000026 mov dword ptr [ebp+00000211h], eax 0x0000002c cmp al, cl 0x0000002e mov eax, ecx 0x00000030 push eax 0x00000031 mov eax, dword ptr [ebp+00000211h] 0x00000037 call 00007FBB14A127ACh 0x0000003c call 00007FBB14A127B5h 0x00000041 lfence 0x00000044 mov edx, 361ACA44h 0x00000049 xor edx, 29F260C9h 0x0000004f sub edx, 4BA41BD5h 0x00000055 xor edx, ABBA8EACh 0x0000005b mov edx, dword ptr [edx] 0x0000005d lfence 0x00000060 ret 0x00000061 mov esi, edx 0x00000063 pushad 0x00000064 rdtsc
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	RDTSC instruction interceptor: First address: 0000000002225356 second address: 000000000222532F instructions: 0x00000000 rdtsc 0x00000002 mov eax, 6CD18E72h 0x00000007 sub eax, 719C9E22h 0x0000000c xor eax, 72732D15h 0x00000011 sub eax, 8947DD44h 0x00000016 cpuid 0x00000018 jmp 00007FBB14B576F2h 0x0000001a test cl, cl 0x0000001c popad 0x0000001d call 00007FBB14B57700h 0x00000022 lfence 0x00000025 mov edx, 361ACA44h 0x0000002a xor edx, 29F260C9h 0x00000030 sub edx, 4BA41BD5h 0x00000036 xor edx, ABBA8EACh 0x0000003c mov edx, dword ptr [edx] 0x0000003e lfence 0x00000041 ret 0x00000042 sub edx, esi 0x00000044 ret 0x00000045 test eax, 78C4E04Dh 0x0000004a pop ecx 0x0000004b jmp 00007FBB14B576F6h 0x0000004d test bl, al 0x0000004f add edi, edx 0x00000051 test dh, FFFFFFE0h 0x00000054 dec ecx 0x00000055 pushad 0x00000056 lfence 0x00000059 rdtsc
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	RDTSC instruction interceptor: First address: 000000000222532F second address: 0000000002225356 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp ecx, 00000000h 0x0000000e jne 00007FBB14A12714h 0x00000010 mov dword ptr [ebp+00000211h], eax 0x00000016 cmp al, cl 0x00000018 mov eax, ecx 0x0000001a push eax 0x0000001b mov eax, dword ptr [ebp+00000211h] 0x00000021 call 00007FBB14A127ACh 0x00000026 call 00007FBB14A127B5h 0x0000002b lfence 0x0000002e mov edx, 361ACA44h 0x00000033 xor edx, 29F260C9h 0x00000039 sub edx, 4BA41BD5h 0x0000003f xor edx, ABBA8EACh 0x00000045 mov edx, dword ptr [edx] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe

Code function: 0_2_02225909 rdtsc

0_2_02225909

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe

Code function: 0_2_02225909 rdtsc

0_2_02225909

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02225204 mov eax, dword ptr fs:[00000030h]		0_2_02225204
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02227EEA mov eax, dword ptr fs:[00000030h]		0_2_02227EEA
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02227B6C mov eax, dword ptr fs:[00000030h]		0_2_02227B6C
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02223467 mov eax, dword ptr fs:[00000030h]		0_2_02223467
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02223470 mov eax, dword ptr fs:[00000030h]		0_2_02223470
Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe	Code function: 0_2_02222981 mov eax, dword ptr fs:[00000030h]		0_2_02222981

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Source: Cailbers22LongRiflorderlist.exe, 00000000.00000002.700096171.0000000000E00000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Cailbers22LongRiflorderlist.exe, 00000000.00000002.700096171.0000000000E00000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Cailbers22LongRiflorderlist.exe, 00000000.00000002.700096171.0000000000E00000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: Cailbers22LongRiflorderlist.exe, 00000000.00000002.700096171.0000000000E00000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\Cailbers22LongRiflorderlist.exe

Code function: 0_2_02220691 cpuid

0_2_02220691