{"Payload URL": "http://ceattire.com/bin_UYDMbHwI28.bin"}
Source: ZGNX11JMSc.exe | Malware Configuration Extractor: GuLoader {"Payload URL": "http://ceattire.com/bin_UYDMbHwI28.bin"} |
Source: ZGNX11JMSc.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: | Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ANTISOCIA.pdb source: ZGNX11JMSc.exe |
Source: Malware configuration extractor | URLs: http://ceattire.com/bin_UYDMbHwI28.bin |
Source: ZGNX11JMSc.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: ZGNX11JMSc.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
Source: ZGNX11JMSc.exe | String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
Source: ZGNX11JMSc.exe | String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
Source: ZGNX11JMSc.exe | String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: ZGNX11JMSc.exe | String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
Source: ZGNX11JMSc.exe | String found in binary or memory: http://ocsp.digicert.com0C |
Source: ZGNX11JMSc.exe | String found in binary or memory: http://ocsp.digicert.com0O |
Source: ZGNX11JMSc.exe | String found in binary or memory: http://www.digicert.com/CPS0 |
Source: ZGNX11JMSc.exe | String found in binary or memory: https://www.digicert.com/CPS0 |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_023154E7 NtAllocateVirtualMemory, |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_023155AC NtAllocateVirtualMemory, |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_023154E7 |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02310EFE |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_023172C3 |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_023142CD |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02311B2D |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02311B1A |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02317F03 |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02313F0C |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02317B73 |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02317F6D |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02311B5F |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02310FB5 |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02312793 |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02314785 |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02318385 |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02314B8E |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_023143F1 |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02317036 |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_0231341B |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_0231100E |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02314071 |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_0231844C |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02318C82 |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02318CD5 |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_023180D4 |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_023134C4 |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_0231350F |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02317D52 |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02312958 |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02318D58 |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02312940 |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_023129B0 |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02312183 |
Source: ZGNX11JMSc.exe | Static PE information: invalid certificate |
Source: ZGNX11JMSc.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: ZGNX11JMSc.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: ZGNX11JMSc.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: ZGNX11JMSc.exe, 00000000.00000000.216975638.0000000000438000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameANTISOCIA.exe vs ZGNX11JMSc.exe |
Source: ZGNX11JMSc.exe | Binary or memory string: OriginalFilenameANTISOCIA.exe vs ZGNX11JMSc.exe |
Source: ZGNX11JMSc.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine | Classification label: mal84.troj.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | File created: C:\Users\user\AppData\Local\Temp\~DF46939C48381DC1A3.TMP | Jump to behavior |
Source: ZGNX11JMSc.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: ZGNX11JMSc.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: | Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ANTISOCIA.pdb source: ZGNX11JMSc.exe |
Source: Yara match | File source: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: ZGNX11JMSc.exe, type: SAMPLE |
Source: Yara match | File source: 0.2.ZGNX11JMSc.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.0.ZGNX11JMSc.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000000.216935680.0000000000401000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.739221783.0000000000401000.00000020.00020000.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_0040495E push es; ret |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02315F81 push ecx; ret |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02319551 push edx; iretd |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02310EFE |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_023142CD |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02311B1A |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02311B5F |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02310FB5 |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02312793 |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02316F9E |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_023143F1 |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02317036 |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_0231341B |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_0231100E |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02314071 |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02317D52 |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02312958 |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | RDTSC instruction interceptor: First address: 00000000023101BE second address: 00000000023101BE instructions: |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | RDTSC instruction interceptor: First address: 00000000023170C1 second address: 00000000023170D5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ecx 0x0000000c neg ecx 0x0000000e pushad 0x0000000f mov edx, 000000D8h 0x00000014 rdtsc |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | RDTSC instruction interceptor: First address: 0000000002318DB2 second address: 0000000002318DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c test dl, dl 0x0000000e add eax, 00003004h 0x00000013 mov dword ptr [edi+00003000h], eax 0x00000019 test eax, eax 0x0000001b mov ecx, 07CEBD8Ah 0x00000020 cmp ax, 0000BB7Bh 0x00000024 sub ecx, 04255BC2h 0x0000002a xor ecx, 17A2670Fh 0x00000030 cmp al, bl 0x00000032 sub ecx, 140B05FBh 0x00000038 test eax, ebx 0x0000003a test edx, ebx 0x0000003c mov byte ptr [eax+ecx], 00000000h 0x00000040 dec ecx 0x00000041 mov dword ptr [ebp+0000025Ch], edi 0x00000047 mov edi, 4BBAF831h 0x0000004c pushad 0x0000004d rdtsc |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | RDTSC instruction interceptor: First address: 0000000002318DFF second address: 0000000002318DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test dl, dl 0x0000000c xor edi, 940AC00Fh 0x00000012 test eax, eax 0x00000014 xor edi, A987D7D4h 0x0000001a cmp ax, 0000BFCEh 0x0000001e sub edi, 7637EFEAh 0x00000024 cmp al, bl 0x00000026 cmp ecx, edi 0x00000028 mov edi, dword ptr [ebp+0000025Ch] 0x0000002e jnl 00007F588C90F2EFh 0x00000030 test edx, ebx 0x00000032 mov byte ptr [eax+ecx], 00000000h 0x00000036 dec ecx 0x00000037 mov dword ptr [ebp+0000025Ch], edi 0x0000003d mov edi, 4BBAF831h 0x00000042 pushad 0x00000043 rdtsc |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | RDTSC instruction interceptor: First address: 0000000002317A0D second address: 0000000002317A0D instructions: |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | RDTSC instruction interceptor: First address: 00000000023101BE second address: 00000000023101BE instructions: |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | RDTSC instruction interceptor: First address: 00000000023170C1 second address: 00000000023170D5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ecx 0x0000000c neg ecx 0x0000000e pushad 0x0000000f mov edx, 000000D8h 0x00000014 rdtsc |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | RDTSC instruction interceptor: First address: 0000000002318DB2 second address: 0000000002318DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c test dl, dl 0x0000000e add eax, 00003004h 0x00000013 mov dword ptr [edi+00003000h], eax 0x00000019 test eax, eax 0x0000001b mov ecx, 07CEBD8Ah 0x00000020 cmp ax, 0000BB7Bh 0x00000024 sub ecx, 04255BC2h 0x0000002a xor ecx, 17A2670Fh 0x00000030 cmp al, bl 0x00000032 sub ecx, 140B05FBh 0x00000038 test eax, ebx 0x0000003a test edx, ebx 0x0000003c mov byte ptr [eax+ecx], 00000000h 0x00000040 dec ecx 0x00000041 mov dword ptr [ebp+0000025Ch], edi 0x00000047 mov edi, 4BBAF831h 0x0000004c pushad 0x0000004d rdtsc |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | RDTSC instruction interceptor: First address: 0000000002318DFF second address: 0000000002318DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test dl, dl 0x0000000c xor edi, 940AC00Fh 0x00000012 test eax, eax 0x00000014 xor edi, A987D7D4h 0x0000001a cmp ax, 0000BFCEh 0x0000001e sub edi, 7637EFEAh 0x00000024 cmp al, bl 0x00000026 cmp ecx, edi 0x00000028 mov edi, dword ptr [ebp+0000025Ch] 0x0000002e jnl 00007F588C90F2EFh 0x00000030 test edx, ebx 0x00000032 mov byte ptr [eax+ecx], 00000000h 0x00000036 dec ecx 0x00000037 mov dword ptr [ebp+0000025Ch], edi 0x0000003d mov edi, 4BBAF831h 0x00000042 pushad 0x00000043 rdtsc |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | RDTSC instruction interceptor: First address: 0000000002317A0D second address: 0000000002317A0D instructions: |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_023154E7 rdtsc |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_023154E7 rdtsc |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02316B93 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_0231341B mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_023150CA mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02317D52 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_02312958 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_023171A9 mov eax, dword ptr fs:[00000030h] |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: ZGNX11JMSc.exe, 00000000.00000002.740243158.0000000000DB0000.00000002.00000001.sdmp | Binary or memory string: Program Manager |
Source: ZGNX11JMSc.exe, 00000000.00000002.740243158.0000000000DB0000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: ZGNX11JMSc.exe, 00000000.00000002.740243158.0000000000DB0000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: ZGNX11JMSc.exe, 00000000.00000002.740243158.0000000000DB0000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe | Code function: 0_2_0231054C cpuid |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.