Windows Analysis Report KDVTOodd7T

Overview

General Information

Sample Name:	KDVTOodd7T (renamed file extension from none to exe)
Analysis ID:	435339
MD5:	457fcb32ec7df1868df42f31cce2a301
SHA1:	8bd3a8d8e0f6a48b51e5b3fbc119b154304044ec
SHA256:	c7d1295093d4112a976f0c13be811d2a1fb6dc5928e1fabefe7b1315f7b0e95f
Tags:	32exeGuLoader
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Detected potential crypto function

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: https://bara-seck.com/bin_dwjDbyFc82.bin, http://benvenuti.rs/wp-content/bin_dwjDbyFc82.bin

Avira URL Cloud: Label: malware

Found malware configuration

Source: KDVTOodd7T.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "https://bara-seck.com/bin_dwjDbyFc82.bin, http://benvenuti.rs/wp-content/bin_dwjDbyFc82.bin"}

Compliance:

Uses 32bit PE files

Source: KDVTOodd7T.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://bara-seck.com/bin_dwjDbyFc82.bin, http://benvenuti.rs/wp-content/bin_dwjDbyFc82.bin

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\KDVTOodd7T.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E5BFE NtAllocateVirtualMemory,	1_2_021E5BFE
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E5E16 NtAllocateVirtualMemory,	1_2_021E5E16
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E5BFF NtAllocateVirtualMemory,	1_2_021E5BFF
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E5C4F NtAllocateVirtualMemory,	1_2_021E5C4F
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E5C64 NtAllocateVirtualMemory,	1_2_021E5C64
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E5CD6 NtAllocateVirtualMemory,	1_2_021E5CD6
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E5D1E NtAllocateVirtualMemory,	1_2_021E5D1E
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E5D5E NtAllocateVirtualMemory,	1_2_021E5D5E
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E5DCA NtAllocateVirtualMemory,	1_2_021E5DCA

Detected potential crypto function

Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_0040E16D	1_2_0040E16D
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_00404D55	1_2_00404D55
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E5BFE	1_2_021E5BFE
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E9A18	1_2_021E9A18
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0E16	1_2_021E0E16
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E1A3F	1_2_021E1A3F
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4A3C	1_2_021E4A3C
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E1A3D	1_2_021E1A3D
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4638	1_2_021E4638
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E9A30	1_2_021E9A30
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E1226	1_2_021E1226
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E3258	1_2_021E3258
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E9A57	1_2_021E9A57
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E9254	1_2_021E9254
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4E46	1_2_021E4E46
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0E72	1_2_021E0E72
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E1268	1_2_021E1268
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E1A9E	1_2_021E1A9E
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E46BA	1_2_021E46BA
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E32BA	1_2_021E32BA
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E62AA	1_2_021E62AA
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4AA6	1_2_021E4AA6
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0EA6	1_2_021E0EA6
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E12C6	1_2_021E12C6
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E76C2	1_2_021E76C2
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E1AFE	1_2_021E1AFE
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E46FE	1_2_021E46FE
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4AF2	1_2_021E4AF2
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E3AF1	1_2_021E3AF1
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E1B1F	1_2_021E1B1F
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8B17	1_2_021E8B17
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E6313	1_2_021E6313
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E3B0E	1_2_021E3B0E
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E330B	1_2_021E330B
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0708	1_2_021E0708
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8B04	1_2_021E8B04
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0F00	1_2_021E0F00
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E1326	1_2_021E1326
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0F5A	1_2_021E0F5A
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E475A	1_2_021E475A
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4B58	1_2_021E4B58
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E3B50	1_2_021E3B50
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E1B76	1_2_021E1B76
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E136E	1_2_021E136E
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E6362	1_2_021E6362
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E3360	1_2_021E3360
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0F9E	1_2_021E0F9E
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E3B9F	1_2_021E3B9F
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8B8F	1_2_021E8B8F
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E338B	1_2_021E338B
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E3FB8	1_2_021E3FB8
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E63A3	1_2_021E63A3
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E47A0	1_2_021E47A0
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E2BDB	1_2_021E2BDB
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4BC8	1_2_021E4BC8
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8BC4	1_2_021E8BC4
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E13C3	1_2_021E13C3
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E5BFF	1_2_021E5BFF
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E1FF3	1_2_021E1FF3
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E1FE8	1_2_021E1FE8
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0FE4	1_2_021E0FE4
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E3BE3	1_2_021E3BE3
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4C1E	1_2_021E4C1E
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E641F	1_2_021E641F
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E441C	1_2_021E441C
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8C1A	1_2_021E8C1A
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E2C14	1_2_021E2C14
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4800	1_2_021E4800
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E1038	1_2_021E1038
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E3036	1_2_021E3036
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4430	1_2_021E4430
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E202A	1_2_021E202A
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4C5E	1_2_021E4C5E
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E484E	1_2_021E484E
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E5C4F	1_2_021E5C4F
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E304B	1_2_021E304B
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8849	1_2_021E8849
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E447F	1_2_021E447F
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E2C78	1_2_021E2C78
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E3C6B	1_2_021E3C6B
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8C66	1_2_021E8C66
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E1464	1_2_021E1464
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E5C64	1_2_021E5C64
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E3C9C	1_2_021E3C9C
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E108C	1_2_021E108C
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E308C	1_2_021E308C
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0C87	1_2_021E0C87
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0CBE	1_2_021E0CBE
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E48BA	1_2_021E48BA
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E54B5	1_2_021E54B5
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E14B0	1_2_021E14B0
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8CA7	1_2_021E8CA7
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E30DE	1_2_021E30DE
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E98DA	1_2_021E98DA
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E58D3	1_2_021E58D3
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E44CF	1_2_021E44CF
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E98CD	1_2_021E98CD
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E74CA	1_2_021E74CA
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E2CC7	1_2_021E2CC7
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4CC5	1_2_021E4CC5
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4CFF	1_2_021E4CFF
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E98F7	1_2_021E98F7
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E10EB	1_2_021E10EB
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8CEB	1_2_021E8CEB
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0D17	1_2_021E0D17
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4913	1_2_021E4913
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E9913	1_2_021E9913
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E2D05	1_2_021E2D05
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E3138	1_2_021E3138
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E9937	1_2_021E9937
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E1132	1_2_021E1132
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4532	1_2_021E4532
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8D30	1_2_021E8D30
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0D31	1_2_021E0D31
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E995A	1_2_021E995A
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E2D4A	1_2_021E2D4A
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E457F	1_2_021E457F
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E997A	1_2_021E997A
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4D70	1_2_021E4D70
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8D6A	1_2_021E8D6A
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4968	1_2_021E4968
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E119B	1_2_021E119B
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4990	1_2_021E4990
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E6180	1_2_021E6180
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4DBB	1_2_021E4DBB
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E61BB	1_2_021E61BB
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8DAA	1_2_021E8DAA
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E99A8	1_2_021E99A8
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E31A0	1_2_021E31A0
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E99DF	1_2_021E99DF
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E45D6	1_2_021E45D6
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0DD3	1_2_021E0DD3
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E11C8	1_2_021E11C8
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E99C3	1_2_021E99C3
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4DFA	1_2_021E4DFA
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E99F7	1_2_021E99F7
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8DF2	1_2_021E8DF2
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E31EF	1_2_021E31EF
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E49EF	1_2_021E49EF
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E61EC	1_2_021E61EC

PE file contains strange resources

Source: KDVTOodd7T.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: KDVTOodd7T.exe, 00000001.00000002.693611790.0000000002A90000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameOders.exeFE2Xl vs KDVTOodd7T.exe
Source: KDVTOodd7T.exe, 00000001.00000000.328540343.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameOders.exe vs KDVTOodd7T.exe
Source: KDVTOodd7T.exe, 00000001.00000002.692811986.00000000021D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs KDVTOodd7T.exe
Source: KDVTOodd7T.exe	Binary or memory string: OriginalFilenameOders.exe vs KDVTOodd7T.exe

Uses 32bit PE files

Source: KDVTOodd7T.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal92.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\KDVTOodd7T.exe

File created: C:\Users\user\AppData\Local\Temp\~DF299C0E1CBDF0229D.TMP

Jump to behavior

Source: KDVTOodd7T.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\KDVTOodd7T.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\KDVTOodd7T.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.692826646.00000000021E0000.00000040.00000001.sdmp, type: MEMORY

Yara detected GuLoader

Source: Yara match	File source: KDVTOodd7T.exe, type: SAMPLE
Source: Yara match	File source: 00000001.00000000.328525876.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.692341563.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.KDVTOodd7T.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.KDVTOodd7T.exe.400000.0.unpack, type: UNPACKEDPE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_00408275 push ss; iretd	1_2_00408277
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_004072D2 push edi; retf	1_2_004072D3
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_004046EC push esp; ret	1_2_004046ED
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_004057EA push es; iretd	1_2_004057F8
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E5466 push ecx; retf	1_2_021E5467
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021EA134 push 6DC60657h; ret	1_2_021EA194

Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0E16	1_2_021E0E16
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4A3C	1_2_021E4A3C
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4638	1_2_021E4638
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E9254	1_2_021E9254
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4E46	1_2_021E4E46
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0E72	1_2_021E0E72
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E46BA	1_2_021E46BA
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4AA6	1_2_021E4AA6
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0EA6	1_2_021E0EA6
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4ECE	1_2_021E4ECE
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E76C2	1_2_021E76C2
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E46FE	1_2_021E46FE
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4EFA	1_2_021E4EFA
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4AF2	1_2_021E4AF2
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E3AF1	1_2_021E3AF1
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8B17	1_2_021E8B17
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8B04	1_2_021E8B04
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0F00	1_2_021E0F00
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0F5A	1_2_021E0F5A
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E475A	1_2_021E475A
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4B58	1_2_021E4B58
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4F54	1_2_021E4F54
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0F9E	1_2_021E0F9E
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8B8F	1_2_021E8B8F
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E3FB8	1_2_021E3FB8
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E47A0	1_2_021E47A0
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4BC8	1_2_021E4BC8
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4FC6	1_2_021E4FC6
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8BC4	1_2_021E8BC4
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0FE4	1_2_021E0FE4
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4C1E	1_2_021E4C1E
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4800	1_2_021E4800
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E1038	1_2_021E1038
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4430	1_2_021E4430
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E7C22	1_2_021E7C22
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4C5E	1_2_021E4C5E
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E484E	1_2_021E484E
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8849	1_2_021E8849
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E7C47	1_2_021E7C47
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E447F	1_2_021E447F
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E108C	1_2_021E108C
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0C87	1_2_021E0C87
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0CBE	1_2_021E0CBE
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E48BA	1_2_021E48BA
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E54B5	1_2_021E54B5
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E44CF	1_2_021E44CF
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E74CA	1_2_021E74CA
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4CC5	1_2_021E4CC5
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4CFF	1_2_021E4CFF
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E10EB	1_2_021E10EB
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0D17	1_2_021E0D17
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4913	1_2_021E4913
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E1132	1_2_021E1132
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4532	1_2_021E4532
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0D31	1_2_021E0D31
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E457F	1_2_021E457F
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4D70	1_2_021E4D70
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4968	1_2_021E4968
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E119B	1_2_021E119B
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E6998	1_2_021E6998
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4990	1_2_021E4990
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4DBB	1_2_021E4DBB
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E45D6	1_2_021E45D6
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E29D5	1_2_021E29D5
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0DD3	1_2_021E0DD3
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E11C8	1_2_021E11C8
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4DFA	1_2_021E4DFA
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E49EF	1_2_021E49EF

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\KDVTOodd7T.exe

RDTSC instruction interceptor: First address: 00000000021E7CB4 second address: 00000000021E7CB4 instructions:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\KDVTOodd7T.exe	RDTSC instruction interceptor: First address: 00000000021E7C5B second address: 00000000021E7C75 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov ecx, dword ptr [eax+24h] 0x0000000e mov dword ptr [ebp+10h], ecx 0x00000011 mov esi, dword ptr [eax+20h] 0x00000014 pushad 0x00000015 mov eax, 0000009Fh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	RDTSC instruction interceptor: First address: 00000000021E7C75 second address: 00000000021E7CB4 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add esi, dword ptr [ebp+04h] 0x00000006 xor ecx, ecx 0x00000008 mov edx, dword ptr [esi] 0x0000000a cmp cl, FFFFFFA7h 0x0000000d add edx, dword ptr [ebp+04h] 0x00000010 mov dword ptr [ebp+000001EAh], ebx 0x00000016 mov ebx, ecx 0x00000018 cmp dh, dh 0x0000001a push ebx 0x0000001b mov ebx, dword ptr [ebp+000001EAh] 0x00000021 cmp bl, al 0x00000023 mov dword ptr [ebp+00000242h], eax 0x00000029 mov eax, esi 0x0000002b push eax 0x0000002c jmp 00007FD200395642h 0x0000002e pushad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	RDTSC instruction interceptor: First address: 00000000021E7CB4 second address: 00000000021E7CB4 instructions:
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	RDTSC instruction interceptor: First address: 00000000021E8296 second address: 00000000021E8296 instructions: 0x00000000 rdtsc 0x00000002 mov eax, A9806D28h 0x00000007 xor eax, 34FBFF8Fh 0x0000000c xor eax, 88F23A62h 0x00000011 add eax, EA76573Ch 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FD20039566Bh 0x0000001e lfence 0x00000021 mov edx, 50D17F9Fh 0x00000026 sub edx, F1A1A6A8h 0x0000002c xor edx, 2B14136Fh 0x00000032 xor edx, 0BC5CB8Ch 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d jmp 00007FD200395642h 0x0000003f test bh, ah 0x00000041 test ebx, F76DAF81h 0x00000047 cmp dh, 00000050h 0x0000004a cmp ch, ah 0x0000004c ret 0x0000004d jmp 00007FD200395646h 0x0000004f cmp cx, 2A72h 0x00000054 sub edx, esi 0x00000056 ret 0x00000057 cmp al, cl 0x00000059 cmp bl, FFFFFFB2h 0x0000005c add edi, edx 0x0000005e cmp ch, ch 0x00000060 dec dword ptr [ebp+000000F8h] 0x00000066 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000006d jne 00007FD200395615h 0x0000006f call 00007FD200395656h 0x00000074 call 00007FD20039568Ch 0x00000079 lfence 0x0000007c mov edx, 50D17F9Fh 0x00000081 sub edx, F1A1A6A8h 0x00000087 xor edx, 2B14136Fh 0x0000008d xor edx, 0BC5CB8Ch 0x00000093 mov edx, dword ptr [edx] 0x00000095 lfence 0x00000098 jmp 00007FD200395642h 0x0000009a test bh, ah 0x0000009c test ebx, F76DAF81h 0x000000a2 cmp dh, 00000050h 0x000000a5 cmp ch, ah 0x000000a7 ret 0x000000a8 mov esi, edx 0x000000aa pushad 0x000000ab rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\KDVTOodd7T.exe

Code function: 1_2_021E6A1F rdtsc

1_2_021E6A1F

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\KDVTOodd7T.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\KDVTOodd7T.exe

Code function: 1_2_021E6A1F rdtsc

1_2_021E6A1F

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E3AF1 mov eax, dword ptr fs:[00000030h]	1_2_021E3AF1
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8B17 mov eax, dword ptr fs:[00000030h]	1_2_021E8B17
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E3B0E mov eax, dword ptr fs:[00000030h]	1_2_021E3B0E
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8B04 mov eax, dword ptr fs:[00000030h]	1_2_021E8B04
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E57A7 mov eax, dword ptr fs:[00000030h]	1_2_021E57A7
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E7FC9 mov eax, dword ptr fs:[00000030h]	1_2_021E7FC9
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E37C6 mov eax, dword ptr fs:[00000030h]	1_2_021E37C6
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E3036 mov eax, dword ptr fs:[00000030h]	1_2_021E3036
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8849 mov eax, dword ptr fs:[00000030h]	1_2_021E8849
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E79CB mov eax, dword ptr fs:[00000030h]	1_2_021E79CB

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: KDVTOodd7T.exe, 00000001.00000002.692698662.0000000000DB0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: KDVTOodd7T.exe, 00000001.00000002.692698662.0000000000DB0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: KDVTOodd7T.exe, 00000001.00000002.692698662.0000000000DB0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: KDVTOodd7T.exe, 00000001.00000002.692698662.0000000000DB0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\KDVTOodd7T.exe

Code function: 1_2_021E2A10 cpuid

1_2_021E2A10

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://bara-seck.com/bin_dwjDbyFc82.bin, http://benvenuti.rs/wp-content/bin_dwjDbyFc82.bin	true	Avira URL Cloud: malware	unknown

AV Detection:

Antivirus detection for URL or domain

Source: https://bara-seck.com/bin_dwjDbyFc82.bin, http://benvenuti.rs/wp-content/bin_dwjDbyFc82.bin

Avira URL Cloud: Label: malware

Found malware configuration

Source: KDVTOodd7T.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "https://bara-seck.com/bin_dwjDbyFc82.bin, http://benvenuti.rs/wp-content/bin_dwjDbyFc82.bin"}

Compliance:

Uses 32bit PE files

Source: KDVTOodd7T.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://bara-seck.com/bin_dwjDbyFc82.bin, http://benvenuti.rs/wp-content/bin_dwjDbyFc82.bin

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\KDVTOodd7T.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E5BFE NtAllocateVirtualMemory,	1_2_021E5BFE
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E5E16 NtAllocateVirtualMemory,	1_2_021E5E16
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E5BFF NtAllocateVirtualMemory,	1_2_021E5BFF
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E5C4F NtAllocateVirtualMemory,	1_2_021E5C4F
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E5C64 NtAllocateVirtualMemory,	1_2_021E5C64
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E5CD6 NtAllocateVirtualMemory,	1_2_021E5CD6
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E5D1E NtAllocateVirtualMemory,	1_2_021E5D1E
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E5D5E NtAllocateVirtualMemory,	1_2_021E5D5E
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E5DCA NtAllocateVirtualMemory,	1_2_021E5DCA

Detected potential crypto function

Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_0040E16D	1_2_0040E16D
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_00404D55	1_2_00404D55
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E5BFE	1_2_021E5BFE
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E9A18	1_2_021E9A18
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0E16	1_2_021E0E16
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E1A3F	1_2_021E1A3F
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4A3C	1_2_021E4A3C
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E1A3D	1_2_021E1A3D
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4638	1_2_021E4638
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E9A30	1_2_021E9A30
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E1226	1_2_021E1226
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E3258	1_2_021E3258
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E9A57	1_2_021E9A57
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E9254	1_2_021E9254
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4E46	1_2_021E4E46
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0E72	1_2_021E0E72
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E1268	1_2_021E1268
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E1A9E	1_2_021E1A9E
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E46BA	1_2_021E46BA
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E32BA	1_2_021E32BA
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E62AA	1_2_021E62AA
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4AA6	1_2_021E4AA6
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0EA6	1_2_021E0EA6
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E12C6	1_2_021E12C6
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E76C2	1_2_021E76C2
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E1AFE	1_2_021E1AFE
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E46FE	1_2_021E46FE
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4AF2	1_2_021E4AF2
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E3AF1	1_2_021E3AF1
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E1B1F	1_2_021E1B1F
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8B17	1_2_021E8B17
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E6313	1_2_021E6313
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E3B0E	1_2_021E3B0E
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E330B	1_2_021E330B
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0708	1_2_021E0708
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8B04	1_2_021E8B04
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0F00	1_2_021E0F00
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E1326	1_2_021E1326
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0F5A	1_2_021E0F5A
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E475A	1_2_021E475A
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4B58	1_2_021E4B58
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E3B50	1_2_021E3B50
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E1B76	1_2_021E1B76
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E136E	1_2_021E136E
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E6362	1_2_021E6362
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E3360	1_2_021E3360
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0F9E	1_2_021E0F9E
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E3B9F	1_2_021E3B9F
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8B8F	1_2_021E8B8F
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E338B	1_2_021E338B
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E3FB8	1_2_021E3FB8
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E63A3	1_2_021E63A3
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E47A0	1_2_021E47A0
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E2BDB	1_2_021E2BDB
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4BC8	1_2_021E4BC8
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8BC4	1_2_021E8BC4
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E13C3	1_2_021E13C3
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E5BFF	1_2_021E5BFF
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E1FF3	1_2_021E1FF3
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E1FE8	1_2_021E1FE8
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0FE4	1_2_021E0FE4
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E3BE3	1_2_021E3BE3
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4C1E	1_2_021E4C1E
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E641F	1_2_021E641F
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E441C	1_2_021E441C
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8C1A	1_2_021E8C1A
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E2C14	1_2_021E2C14
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4800	1_2_021E4800
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E1038	1_2_021E1038
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E3036	1_2_021E3036
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4430	1_2_021E4430
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E202A	1_2_021E202A
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4C5E	1_2_021E4C5E
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E484E	1_2_021E484E
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E5C4F	1_2_021E5C4F
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E304B	1_2_021E304B
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8849	1_2_021E8849
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E447F	1_2_021E447F
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E2C78	1_2_021E2C78
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E3C6B	1_2_021E3C6B
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8C66	1_2_021E8C66
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E1464	1_2_021E1464
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E5C64	1_2_021E5C64
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E3C9C	1_2_021E3C9C
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E108C	1_2_021E108C
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E308C	1_2_021E308C
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0C87	1_2_021E0C87
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0CBE	1_2_021E0CBE
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E48BA	1_2_021E48BA
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E54B5	1_2_021E54B5
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E14B0	1_2_021E14B0
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8CA7	1_2_021E8CA7
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E30DE	1_2_021E30DE
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E98DA	1_2_021E98DA
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E58D3	1_2_021E58D3
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E44CF	1_2_021E44CF
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E98CD	1_2_021E98CD
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E74CA	1_2_021E74CA
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E2CC7	1_2_021E2CC7
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4CC5	1_2_021E4CC5
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4CFF	1_2_021E4CFF
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E98F7	1_2_021E98F7
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E10EB	1_2_021E10EB
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8CEB	1_2_021E8CEB
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0D17	1_2_021E0D17
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4913	1_2_021E4913
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E9913	1_2_021E9913
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E2D05	1_2_021E2D05
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E3138	1_2_021E3138
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E9937	1_2_021E9937
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E1132	1_2_021E1132
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4532	1_2_021E4532
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8D30	1_2_021E8D30
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0D31	1_2_021E0D31
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E995A	1_2_021E995A
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E2D4A	1_2_021E2D4A
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E457F	1_2_021E457F
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E997A	1_2_021E997A
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4D70	1_2_021E4D70
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8D6A	1_2_021E8D6A
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4968	1_2_021E4968
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E119B	1_2_021E119B
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4990	1_2_021E4990
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E6180	1_2_021E6180
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4DBB	1_2_021E4DBB
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E61BB	1_2_021E61BB
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8DAA	1_2_021E8DAA
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E99A8	1_2_021E99A8
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E31A0	1_2_021E31A0
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E99DF	1_2_021E99DF
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E45D6	1_2_021E45D6
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0DD3	1_2_021E0DD3
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E11C8	1_2_021E11C8
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E99C3	1_2_021E99C3
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4DFA	1_2_021E4DFA
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E99F7	1_2_021E99F7
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8DF2	1_2_021E8DF2
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E31EF	1_2_021E31EF
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E49EF	1_2_021E49EF
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E61EC	1_2_021E61EC

PE file contains strange resources

Source: KDVTOodd7T.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: KDVTOodd7T.exe, 00000001.00000002.693611790.0000000002A90000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameOders.exeFE2Xl vs KDVTOodd7T.exe
Source: KDVTOodd7T.exe, 00000001.00000000.328540343.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameOders.exe vs KDVTOodd7T.exe
Source: KDVTOodd7T.exe, 00000001.00000002.692811986.00000000021D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs KDVTOodd7T.exe
Source: KDVTOodd7T.exe	Binary or memory string: OriginalFilenameOders.exe vs KDVTOodd7T.exe

Uses 32bit PE files

Source: KDVTOodd7T.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal92.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\KDVTOodd7T.exe

File created: C:\Users\user\AppData\Local\Temp\~DF299C0E1CBDF0229D.TMP

Jump to behavior

Source: KDVTOodd7T.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\KDVTOodd7T.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\KDVTOodd7T.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.692826646.00000000021E0000.00000040.00000001.sdmp, type: MEMORY

Yara detected GuLoader

Source: Yara match	File source: KDVTOodd7T.exe, type: SAMPLE
Source: Yara match	File source: 00000001.00000000.328525876.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.692341563.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.KDVTOodd7T.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.KDVTOodd7T.exe.400000.0.unpack, type: UNPACKEDPE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_00408275 push ss; iretd	1_2_00408277
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_004072D2 push edi; retf	1_2_004072D3
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_004046EC push esp; ret	1_2_004046ED
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_004057EA push es; iretd	1_2_004057F8
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E5466 push ecx; retf	1_2_021E5467
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021EA134 push 6DC60657h; ret	1_2_021EA194

Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0E16	1_2_021E0E16
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4A3C	1_2_021E4A3C
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4638	1_2_021E4638
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E9254	1_2_021E9254
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4E46	1_2_021E4E46
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0E72	1_2_021E0E72
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E46BA	1_2_021E46BA
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4AA6	1_2_021E4AA6
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0EA6	1_2_021E0EA6
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4ECE	1_2_021E4ECE
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E76C2	1_2_021E76C2
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E46FE	1_2_021E46FE
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4EFA	1_2_021E4EFA
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4AF2	1_2_021E4AF2
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E3AF1	1_2_021E3AF1
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8B17	1_2_021E8B17
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8B04	1_2_021E8B04
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0F00	1_2_021E0F00
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0F5A	1_2_021E0F5A
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E475A	1_2_021E475A
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4B58	1_2_021E4B58
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4F54	1_2_021E4F54
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0F9E	1_2_021E0F9E
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8B8F	1_2_021E8B8F
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E3FB8	1_2_021E3FB8
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E47A0	1_2_021E47A0
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4BC8	1_2_021E4BC8
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4FC6	1_2_021E4FC6
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8BC4	1_2_021E8BC4
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0FE4	1_2_021E0FE4
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4C1E	1_2_021E4C1E
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4800	1_2_021E4800
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E1038	1_2_021E1038
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4430	1_2_021E4430
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E7C22	1_2_021E7C22
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4C5E	1_2_021E4C5E
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E484E	1_2_021E484E
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8849	1_2_021E8849
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E7C47	1_2_021E7C47
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E447F	1_2_021E447F
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E108C	1_2_021E108C
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0C87	1_2_021E0C87
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0CBE	1_2_021E0CBE
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E48BA	1_2_021E48BA
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E54B5	1_2_021E54B5
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E44CF	1_2_021E44CF
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E74CA	1_2_021E74CA
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4CC5	1_2_021E4CC5
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4CFF	1_2_021E4CFF
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E10EB	1_2_021E10EB
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0D17	1_2_021E0D17
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4913	1_2_021E4913
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E1132	1_2_021E1132
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4532	1_2_021E4532
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0D31	1_2_021E0D31
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E457F	1_2_021E457F
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4D70	1_2_021E4D70
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4968	1_2_021E4968
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E119B	1_2_021E119B
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E6998	1_2_021E6998
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4990	1_2_021E4990
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4DBB	1_2_021E4DBB
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E45D6	1_2_021E45D6
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E29D5	1_2_021E29D5
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E0DD3	1_2_021E0DD3
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E11C8	1_2_021E11C8
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E4DFA	1_2_021E4DFA
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E49EF	1_2_021E49EF

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\KDVTOodd7T.exe

RDTSC instruction interceptor: First address: 00000000021E7CB4 second address: 00000000021E7CB4 instructions:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\KDVTOodd7T.exe	RDTSC instruction interceptor: First address: 00000000021E7C5B second address: 00000000021E7C75 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov ecx, dword ptr [eax+24h] 0x0000000e mov dword ptr [ebp+10h], ecx 0x00000011 mov esi, dword ptr [eax+20h] 0x00000014 pushad 0x00000015 mov eax, 0000009Fh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	RDTSC instruction interceptor: First address: 00000000021E7C75 second address: 00000000021E7CB4 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add esi, dword ptr [ebp+04h] 0x00000006 xor ecx, ecx 0x00000008 mov edx, dword ptr [esi] 0x0000000a cmp cl, FFFFFFA7h 0x0000000d add edx, dword ptr [ebp+04h] 0x00000010 mov dword ptr [ebp+000001EAh], ebx 0x00000016 mov ebx, ecx 0x00000018 cmp dh, dh 0x0000001a push ebx 0x0000001b mov ebx, dword ptr [ebp+000001EAh] 0x00000021 cmp bl, al 0x00000023 mov dword ptr [ebp+00000242h], eax 0x00000029 mov eax, esi 0x0000002b push eax 0x0000002c jmp 00007FD200395642h 0x0000002e pushad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	RDTSC instruction interceptor: First address: 00000000021E7CB4 second address: 00000000021E7CB4 instructions:
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	RDTSC instruction interceptor: First address: 00000000021E8296 second address: 00000000021E8296 instructions: 0x00000000 rdtsc 0x00000002 mov eax, A9806D28h 0x00000007 xor eax, 34FBFF8Fh 0x0000000c xor eax, 88F23A62h 0x00000011 add eax, EA76573Ch 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FD20039566Bh 0x0000001e lfence 0x00000021 mov edx, 50D17F9Fh 0x00000026 sub edx, F1A1A6A8h 0x0000002c xor edx, 2B14136Fh 0x00000032 xor edx, 0BC5CB8Ch 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d jmp 00007FD200395642h 0x0000003f test bh, ah 0x00000041 test ebx, F76DAF81h 0x00000047 cmp dh, 00000050h 0x0000004a cmp ch, ah 0x0000004c ret 0x0000004d jmp 00007FD200395646h 0x0000004f cmp cx, 2A72h 0x00000054 sub edx, esi 0x00000056 ret 0x00000057 cmp al, cl 0x00000059 cmp bl, FFFFFFB2h 0x0000005c add edi, edx 0x0000005e cmp ch, ch 0x00000060 dec dword ptr [ebp+000000F8h] 0x00000066 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000006d jne 00007FD200395615h 0x0000006f call 00007FD200395656h 0x00000074 call 00007FD20039568Ch 0x00000079 lfence 0x0000007c mov edx, 50D17F9Fh 0x00000081 sub edx, F1A1A6A8h 0x00000087 xor edx, 2B14136Fh 0x0000008d xor edx, 0BC5CB8Ch 0x00000093 mov edx, dword ptr [edx] 0x00000095 lfence 0x00000098 jmp 00007FD200395642h 0x0000009a test bh, ah 0x0000009c test ebx, F76DAF81h 0x000000a2 cmp dh, 00000050h 0x000000a5 cmp ch, ah 0x000000a7 ret 0x000000a8 mov esi, edx 0x000000aa pushad 0x000000ab rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\KDVTOodd7T.exe

Code function: 1_2_021E6A1F rdtsc

1_2_021E6A1F

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\KDVTOodd7T.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\KDVTOodd7T.exe

Code function: 1_2_021E6A1F rdtsc

1_2_021E6A1F

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E3AF1 mov eax, dword ptr fs:[00000030h]	1_2_021E3AF1
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8B17 mov eax, dword ptr fs:[00000030h]	1_2_021E8B17
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E3B0E mov eax, dword ptr fs:[00000030h]	1_2_021E3B0E
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8B04 mov eax, dword ptr fs:[00000030h]	1_2_021E8B04
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E57A7 mov eax, dword ptr fs:[00000030h]	1_2_021E57A7
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E7FC9 mov eax, dword ptr fs:[00000030h]	1_2_021E7FC9
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E37C6 mov eax, dword ptr fs:[00000030h]	1_2_021E37C6
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E3036 mov eax, dword ptr fs:[00000030h]	1_2_021E3036
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E8849 mov eax, dword ptr fs:[00000030h]	1_2_021E8849
Source: C:\Users\user\Desktop\KDVTOodd7T.exe	Code function: 1_2_021E79CB mov eax, dword ptr fs:[00000030h]	1_2_021E79CB

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: KDVTOodd7T.exe, 00000001.00000002.692698662.0000000000DB0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: KDVTOodd7T.exe, 00000001.00000002.692698662.0000000000DB0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: KDVTOodd7T.exe, 00000001.00000002.692698662.0000000000DB0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: KDVTOodd7T.exe, 00000001.00000002.692698662.0000000000DB0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\KDVTOodd7T.exe

Code function: 1_2_021E2A10 cpuid

1_2_021E2A10

ID:	435339
Product:	CloudBasic
Start time:	12:41:13
Start date:	16.06.2021
Sample:	KDVTOodd7T
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	457fcb32ec7df1868df42f31cce2a301
SHA1:	8bd3a8d8e0f6a48b51e5b3fbc119b154304044ec
SHA256:	c7d1295093d4112a976f0c13be811d2a1fb6dc5928e1fabefe7b1315f7b0e95f
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Windows Analysis Report KDVTOodd7T

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map

Contacted URLs