Source: OFFER-8768777765554-PDF.exe |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?cid=51D628A65732BF05&resid=51D628A65732BF05%21161&authkey=ABg4zwujoOrC4rM, https://onedrive.live.com/download?cid=CC6C941704A208C4&resid=CC6C941704"} |
Source: OFFER-8768777765554-PDF.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://onedrive.live.com/download?cid=51D628A65732BF05&resid=51D628A65732BF05%21161&authkey=ABg4zwujoOrC4rM, https://onedrive.live.com/download?cid=CC6C941704A208C4&resid=CC6C941704 |
Source: OFFER-8768777765554-PDF.exe, 00000000.00000002.577399025.00000000006AA000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E5A9F NtAllocateVirtualMemory, |
0_2_022E5A9F |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E574E NtAllocateVirtualMemory, |
0_2_022E574E |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E5B47 NtAllocateVirtualMemory, |
0_2_022E5B47 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E5BB0 NtAllocateVirtualMemory, |
0_2_022E5BB0 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E5B93 NtAllocateVirtualMemory, |
0_2_022E5B93 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_0040DCBE |
0_2_0040DCBE |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E5A9F |
0_2_022E5A9F |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E3E2B |
0_2_022E3E2B |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E8233 |
0_2_022E8233 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E761E |
0_2_022E761E |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E1212 |
0_2_022E1212 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E0E6B |
0_2_022E0E6B |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E96A1 |
0_2_022E96A1 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E3E87 |
0_2_022E3E87 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E8A98 |
0_2_022E8A98 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E06C4 |
0_2_022E06C4 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E12D5 |
0_2_022E12D5 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E3F3D |
0_2_022E3F3D |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E230E |
0_2_022E230E |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E2F1B |
0_2_022E2F1B |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E574E |
0_2_022E574E |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E374B |
0_2_022E374B |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E5B47 |
0_2_022E5B47 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E2751 |
0_2_022E2751 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E2F8B |
0_2_022E2F8B |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E3783 |
0_2_022E3783 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E3F95 |
0_2_022E3F95 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E2BC4 |
0_2_022E2BC4 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E1BC1 |
0_2_022E1BC1 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E283B |
0_2_022E283B |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E0000 |
0_2_022E0000 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E587C |
0_2_022E587C |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E1043 |
0_2_022E1043 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E2C56 |
0_2_022E2C56 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E4055 |
0_2_022E4055 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E8C53 |
0_2_022E8C53 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E40AD |
0_2_022E40AD |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E10AB |
0_2_022E10AB |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E2CA3 |
0_2_022E2CA3 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E4CBC |
0_2_022E4CBC |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E6089 |
0_2_022E6089 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E8C91 |
0_2_022E8C91 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E10CD |
0_2_022E10CD |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E292F |
0_2_022E292F |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E0D25 |
0_2_022E0D25 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E4523 |
0_2_022E4523 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E211D |
0_2_022E211D |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E0D6D |
0_2_022E0D6D |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E1167 |
0_2_022E1167 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E2564 |
0_2_022E2564 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E2944 |
0_2_022E2944 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E11A7 |
0_2_022E11A7 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E05BE |
0_2_022E05BE |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E4D89 |
0_2_022E4D89 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E11E3 |
0_2_022E11E3 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E3DE3 |
0_2_022E3DE3 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E29FF |
0_2_022E29FF |
Source: OFFER-8768777765554-PDF.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: OFFER-8768777765554-PDF.exe, 00000000.00000000.194465860.0000000000417000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameStemmeskred7.exe vs OFFER-8768777765554-PDF.exe |
Source: OFFER-8768777765554-PDF.exe, 00000000.00000002.577492034.00000000021C0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameStemmeskred7.exeFE2Xe vs OFFER-8768777765554-PDF.exe |
Source: OFFER-8768777765554-PDF.exe, 00000000.00000002.577518185.00000000022D0000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs OFFER-8768777765554-PDF.exe |
Source: OFFER-8768777765554-PDF.exe |
Binary or memory string: OriginalFilenameStemmeskred7.exe vs OFFER-8768777765554-PDF.exe |
Source: OFFER-8768777765554-PDF.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal84.troj.evad.winEXE@1/0@0/0 |
Source: OFFER-8768777765554-PDF.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: OFFER-8768777765554-PDF.exe |
Virustotal: Detection: 13% |
Source: Yara match |
File source: OFFER-8768777765554-PDF.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.OFFER-8768777765554-PDF.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.OFFER-8768777765554-PDF.exe.400000.0.unpack, type: UNPACKEDPE |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_0040506F pushfd ; retf |
0_2_0040508C |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_00408090 push BAD2BC25h; retf |
0_2_004080B9 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_00404D00 push ds; ret |
0_2_00404D0F |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_00405535 push cs; ret |
0_2_00405553 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_00408D99 push cs; ret |
0_2_00408DA3 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_00404206 push ebp; ret |
0_2_00404207 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_00407E0B push ds; retf |
0_2_00407E0D |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_00404A19 push edx; iretd |
0_2_00404A53 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_00405619 push es; ret |
0_2_0040561F |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E8D5B push eax; ret |
0_2_022E8D63 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E8A98 |
0_2_022E8A98 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E8C53 |
0_2_022E8C53 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E6089 |
0_2_022E6089 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E8C91 |
0_2_022E8C91 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E05BE |
0_2_022E05BE |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
RDTSC instruction interceptor: First address: 00000000022E012B second address: 00000000022E012B instructions: |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
RDTSC instruction interceptor: First address: 00000000022E0392 second address: 00000000022E0392 instructions: |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
RDTSC instruction interceptor: First address: 00000000022E012B second address: 00000000022E012B instructions: |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
RDTSC instruction interceptor: First address: 00000000022E0392 second address: 00000000022E0392 instructions: |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
RDTSC instruction interceptor: First address: 00000000022E548D second address: 00000000022E548D instructions: 0x00000000 rdtsc 0x00000002 mov eax, 8513714Ah 0x00000007 sub eax, BC31FDEAh 0x0000000c sub eax, D99E02B9h 0x00000011 add eax, 10BC8F5Ah 0x00000016 cpuid 0x00000018 popad 0x00000019 jmp 00007FF5107330C6h 0x0000001b cmp ax, 0000AF66h 0x0000001f call 00007FF5107330D7h 0x00000024 lfence 0x00000027 mov edx, 0ACECDC1h 0x0000002c xor edx, 9CCC939Eh 0x00000032 add edx, 5020915Ah 0x00000038 xor edx, 99DCEFADh 0x0000003e mov edx, dword ptr [edx] 0x00000040 lfence 0x00000043 ret 0x00000044 sub edx, esi 0x00000046 ret 0x00000047 pop ecx 0x00000048 jmp 00007FF5107330C2h 0x0000004a cmp edx, ecx 0x0000004c add edi, edx 0x0000004e test dl, cl 0x00000050 dec ecx 0x00000051 cmp ecx, 00000000h 0x00000054 jne 00007FF51073307Dh 0x00000056 mov dword ptr [ebp+00000200h], esi 0x0000005c mov esi, ecx 0x0000005e push esi 0x0000005f mov esi, dword ptr [ebp+00000200h] 0x00000065 cmp ch, bh 0x00000067 call 00007FF5107330F6h 0x0000006c call 00007FF510733112h 0x00000071 lfence 0x00000074 mov edx, 0ACECDC1h 0x00000079 xor edx, 9CCC939Eh 0x0000007f add edx, 5020915Ah 0x00000085 xor edx, 99DCEFADh 0x0000008b mov edx, dword ptr [edx] 0x0000008d lfence 0x00000090 ret 0x00000091 mov esi, edx 0x00000093 pushad 0x00000094 rdtsc |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E8A98 mov eax, dword ptr fs:[00000030h] |
0_2_022E8A98 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E536F mov eax, dword ptr fs:[00000030h] |
0_2_022E536F |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E374B mov eax, dword ptr fs:[00000030h] |
0_2_022E374B |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E3783 mov eax, dword ptr fs:[00000030h] |
0_2_022E3783 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E2BC4 mov eax, dword ptr fs:[00000030h] |
0_2_022E2BC4 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E7C09 mov eax, dword ptr fs:[00000030h] |
0_2_022E7C09 |
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe |
Code function: 0_2_022E811C mov eax, dword ptr fs:[00000030h] |
0_2_022E811C |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: OFFER-8768777765554-PDF.exe, 00000000.00000002.577434686.0000000000D70000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: OFFER-8768777765554-PDF.exe, 00000000.00000002.577434686.0000000000D70000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: OFFER-8768777765554-PDF.exe, 00000000.00000002.577434686.0000000000D70000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: OFFER-8768777765554-PDF.exe, 00000000.00000002.577434686.0000000000D70000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |