Loading ...

Play interactive tourEdit tour

Windows Analysis Report SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

Overview

General Information

Sample Name:SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe
Analysis ID:450598
MD5:597eff6540780213008d384ca831852a
SHA1:74fcaa7b00efdfc2056eb4651aea03c529d9bf8d
SHA256:464e32b273ff94e18247402fec1445dceb07fe8ea16490038fa64b9a23672cf0
Tags:exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://andreameixueiro.com/karin_entmCGmZw1b;z"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000000.199329516.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
      00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.0.SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
          1.2.SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeMalware Configuration Extractor: GuLoader {"Payload URL": "https://andreameixueiro.com/karin_entmCGmZw1b;z"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeVirustotal: Detection: 20%Perma Link
            Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: https://andreameixueiro.com/karin_entmCGmZw1b;z
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeProcess Stats: CPU usage > 98%
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211812F NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02118299 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211834D NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02118365 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021181FD NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021181E5 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211812F
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02113214
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211620D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116231
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116225
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211427F
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02114295
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02114289
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211C2AB
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021142AD
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021162D5
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021162C9
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021162E1
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02114351
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116379
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211B361
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211636D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116385
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211B3BD
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021143D5
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211B3F9
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021143E1
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021163E3
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02117010
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211401B
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211600D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211B022
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116025
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211702B
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02114061
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116095
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02114085
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021160B9
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116111
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02114111
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211411D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02114109
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02117109
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02114135
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211E156
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116175
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116161
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116169
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021171B1
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021141D1
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021171C9
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021141F5
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211C631
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211C625
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211C649
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116695
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211568B
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021166B9
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211C6BD
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211C6C9
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116735
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211C735
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116729
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211C759
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211C741
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211C7BD
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021177A8
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021137D4
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211C7E1
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02110407
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116431
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211643D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116455
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02110459
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02114475
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02113476
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116479
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211047D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211447D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02110465
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021154B5
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021164DD
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021164F1
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021164E5
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021144E5
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116536
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211452D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211C598
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021165C2
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021165CD
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021165F1
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211CA19
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02113A1F
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211CA0D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02113A31
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211CA25
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02112A5B
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02113A5D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02112A40
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211DA43
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02113A45
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02112A79
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116A7D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211DA61
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02113A9C
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02112A81
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116A89
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211DA89
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02112A8D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02113AB2
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211CAA1
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211CAAD
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211BAD3
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211CAC5
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211DAC7
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211DAF5
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02110AE8
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211BB1D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211BB05
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02113B0D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02112B0C
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02110B33
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02110B3D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211DB3D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02115B3F
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116B21
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116B2D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211CB2D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02112B51
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02112B5D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211DB5D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211DB47
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02110B49
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02115B75
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211DB75
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02110B61
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02112B69
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02115B69
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211BB99
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211DB9D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02115B8D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02113BB1
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211DBB5
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02113BBD
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02113BA6
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211DBA9
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02113BD5
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02110BD5
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211DBD5
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116BC9
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211DBCD
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211DBF9
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116BFD
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211DBED
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211C816
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211C85D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116875
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211A877
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116869
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211688D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211C8FD
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116919
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211090F
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116931
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02115920
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116925
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02115959
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211594D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211C995
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211C989
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021169B9
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211C9A1
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021169F3
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116E25
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211CE41
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211CEBD
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211CED5
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02112ED9
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211CEC9
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116EF5
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02112EF9
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211CEED
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116F19
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02112F1D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116F01
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116F0D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211CF61
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211AF6A
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116F8D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02115C15
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116C15
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211DC19
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116C09
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02115C09
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211DC0D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116C21
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211DC25
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02115C2D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02117C57
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211DC59
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211DC71
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116CB5
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211ACAC
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116CCD
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02115CE5
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211DCE5
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211DCED
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116D11
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211DD11
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116D75
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211DD9D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211DDB1
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211DDA5
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211DDC9
            Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe, 00000001.00000002.1280612420.00000000020C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe
            Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe, 00000001.00000002.1279546764.0000000000435000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameReamusekbman.exe vs SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe
            Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeBinary or memory string: OriginalFilenameReamusekbman.exe vs SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe
            Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: classification engineClassification label: mal84.troj.evad.winEXE@1/0@0/0
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeFile created: C:\Users\user\AppData\Local\Temp\~DF0927D9F65CCD4BB7.TMPJump to behavior
            Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeVirustotal: Detection: 20%

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe, type: SAMPLE
            Source: Yara matchFile source: 1.0.SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000000.199329516.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0040662E push ebp; iretd
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02110753 push edi; retf
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211076C push edi; retf
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211076C push edi; retf
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02110791 push edi; retf
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02113214
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211620D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116231
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116225
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021162D5
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021162C9
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021162E1
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116379
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211636D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116385
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021163E3
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211600D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116025
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116095
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021160B9
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116111
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116175
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116161
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116169
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211568B
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021177A8
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021137D4
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02110407
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116431
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211643D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116455
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116479
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021164DD
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021164F1
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021164E5
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02116536
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211C598
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021165C2
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021165CD
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_021165F1
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02113A1F
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02112A5B
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02112A40
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02112A79
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02112A81
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02112A8D
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211BAD3
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02112B0C
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02115B3F
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211A877
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02117878
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211CE41
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211CEBD
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211CED5
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211CEC9
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211CEED
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211CF79
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211CF61
            Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeRDTSC instruction interceptor: First address: 000000000211BB89 second address: 000000000211BB89 instructions:
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeRDTSC instruction interceptor: First address: 000000000211BB89 second address: 000000000211BB89 instructions:
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeRDTSC instruction interceptor: First address: 000000000211B7D7 second address: 000000000211B73A instructions: 0x00000000 rdtsc 0x00000002 mov eax, E2C96E1Dh 0x00000007 add eax, F5135739h 0x0000000c add eax, 4CB33013h 0x00000011 xor eax, 248FF568h 0x00000016 cpuid 0x00000018 popad 0x00000019 cmp al, bl 0x0000001b call 00007F67F8BAD9A0h 0x00000020 lfence 0x00000023 mov edx, CF8A4B87h 0x00000028 xor edx, 92055ED3h 0x0000002e sub edx, 11EA7C92h 0x00000034 xor edx, 345A98D6h 0x0000003a mov edx, dword ptr [edx] 0x0000003c lfence 0x0000003f test eax, edx 0x00000041 cmp ebx, eax 0x00000043 cmp ch, ch 0x00000045 cmp dh, dh 0x00000047 jmp 00007F67F8BAD982h 0x00000049 test ecx, eax 0x0000004b test dx, cx 0x0000004e test ecx, 5A8CACB8h 0x00000054 cmp bh, 0000006Fh 0x00000057 ret 0x00000058 test ecx, edx 0x0000005a sub edx, esi 0x0000005c ret 0x0000005d test cx, cx 0x00000060 test dh, ch 0x00000062 test eax, ecx 0x00000064 add edi, edx 0x00000066 cmp cx, cx 0x00000069 dec dword ptr [ebp+000000F8h] 0x0000006f pushad 0x00000070 lfence 0x00000073 rdtsc
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeRDTSC instruction interceptor: First address: 000000000211B73A second address: 000000000211B7D7 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp dword ptr [ebp+000000F8h], 00000000h 0x00000012 jne 00007F67F8CB656Eh 0x00000014 cmp dx, cx 0x00000017 cmp dl, bl 0x00000019 call 00007F67F8CB6650h 0x0000001e call 00007F67F8CB6613h 0x00000023 lfence 0x00000026 mov edx, CF8A4B87h 0x0000002b xor edx, 92055ED3h 0x00000031 sub edx, 11EA7C92h 0x00000037 xor edx, 345A98D6h 0x0000003d mov edx, dword ptr [edx] 0x0000003f lfence 0x00000042 test eax, edx 0x00000044 cmp ebx, eax 0x00000046 cmp ch, ch 0x00000048 cmp dh, dh 0x0000004a jmp 00007F67F8CB65D2h 0x0000004c test ecx, eax 0x0000004e test dx, cx 0x00000051 test ecx, 5A8CACB8h 0x00000057 cmp bh, 0000006Fh 0x0000005a ret 0x0000005b mov esi, edx 0x0000005d pushad 0x0000005e rdtsc
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211812F rdtsc
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

            Anti Debugging:

            barindex
            Found potential dummy code loops (likely to delay analysis)Show sources
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeProcess Stats: CPU usage > 90% for more than 60s
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211812F rdtsc
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211401B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211B199 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211C598 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02117A5C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_02114B10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211A910 mov eax, dword ptr fs:[00000030h]
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe, 00000001.00000002.1280321907.0000000000C70000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe, 00000001.00000002.1280321907.0000000000C70000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe, 00000001.00000002.1280321907.0000000000C70000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe, 00000001.00000002.1280321907.0000000000C70000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCode function: 1_2_0211D094 cpuid

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery41Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery311Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.