Windows Analysis Report F63V4i8eZU

Overview

General Information

Sample Name:	F63V4i8eZU (renamed file extension from none to exe)
Analysis ID:	450884
MD5:	08730cdd286a4c9d46b38bb6545ac311
SHA1:	001bb7b5b8d63e505661d7e4a178d08abe6bbad7
SHA256:	cb2a2537987e45c8461d40a0ec6c24215920519257134db91dd1369ff5abf342
Tags:	32exe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Potentially malicious time measurement code found

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to read the PEB

Detected potential crypto function

PE / OLE file has an invalid certificate

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: F63V4i8eZU.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "https://kinmirai.org/wp-content/bin_QVwo"}

Multi AV Scanner detection for submitted file

Source: F63V4i8eZU.exe

Virustotal: Detection: 10%

Perma Link

Compliance:

Uses 32bit PE files

Source: F63V4i8eZU.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ISOL.pdb source: F63V4i8eZU.exe

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://kinmirai.org/wp-content/bin_QVwo

Source: F63V4i8eZU.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: F63V4i8eZU.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: F63V4i8eZU.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: F63V4i8eZU.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: F63V4i8eZU.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: F63V4i8eZU.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: F63V4i8eZU.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: F63V4i8eZU.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: F63V4i8eZU.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: F63V4i8eZU.exe	String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\F63V4i8eZU.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D55BB NtAllocateVirtualMemory,	0_2_021D55BB
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D5724 NtAllocateVirtualMemory,	0_2_021D5724
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D55F6 NtAllocateVirtualMemory,	0_2_021D55F6

Detected potential crypto function

Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D55BB	0_2_021D55BB
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D423F	0_2_021D423F
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D8254	0_2_021D8254
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D5A46	0_2_021D5A46
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D4277	0_2_021D4277
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D4263	0_2_021D4263
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D5A84	0_2_021D5A84
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D22D5	0_2_021D22D5
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D2AD6	0_2_021D2AD6
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D2AFD	0_2_021D2AFD
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D5359	0_2_021D5359
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D33A7	0_2_021D33A7
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D33EC	0_2_021D33EC
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D1057	0_2_021D1057
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D5852	0_2_021D5852
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D78B2	0_2_021D78B2
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D48E8	0_2_021D48E8
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D28E2	0_2_021D28E2
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D513E	0_2_021D513E
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D8138	0_2_021D8138
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D4128	0_2_021D4128
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D3920	0_2_021D3920
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D19CC	0_2_021D19CC
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D0618	0_2_021D0618
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D2E2F	0_2_021D2E2F
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D9626	0_2_021D9626
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D8E7C	0_2_021D8E7C
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D968F	0_2_021D968F
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D8ED8	0_2_021D8ED8
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D7EFC	0_2_021D7EFC
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D46E4	0_2_021D46E4
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D8F40	0_2_021D8F40
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D1FD9	0_2_021D1FD9
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D7FF5	0_2_021D7FF5
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D2C5C	0_2_021D2C5C
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D045E	0_2_021D045E
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D3C4D	0_2_021D3C4D
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D2470	0_2_021D2470
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D7488	0_2_021D7488
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D348A	0_2_021D348A
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D7CA5	0_2_021D7CA5
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D84A6	0_2_021D84A6
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D84E9	0_2_021D84E9
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D34EA	0_2_021D34EA
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D3568	0_2_021D3568
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D0584	0_2_021D0584
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D8DB4	0_2_021D8DB4
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D35B0	0_2_021D35B0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D2DA0	0_2_021D2DA0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D25D4	0_2_021D25D4
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D55F6	0_2_021D55F6

PE / OLE file has an invalid certificate

Source: F63V4i8eZU.exe

Static PE information: invalid certificate

PE file contains strange resources

Source: F63V4i8eZU.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: F63V4i8eZU.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: F63V4i8eZU.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: F63V4i8eZU.exe, 00000000.00000002.735395303.0000000000438000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameISOL.exe vs F63V4i8eZU.exe
Source: F63V4i8eZU.exe	Binary or memory string: OriginalFilenameISOL.exe vs F63V4i8eZU.exe

Uses 32bit PE files

Source: F63V4i8eZU.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal88.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\F63V4i8eZU.exe

File created: C:\Users\user\AppData\Local\Temp\~DF8AE4137E60421BDA.TMP

Jump to behavior

Source: F63V4i8eZU.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\F63V4i8eZU.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\F63V4i8eZU.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: F63V4i8eZU.exe

Virustotal: Detection: 10%

Source: F63V4i8eZU.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ISOL.pdb source: F63V4i8eZU.exe

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_00406408 push es; ret	0_2_0040640F
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_00405D8C push es; ret	0_2_00405D8B
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02071833 push edx; ret	0_2_02071861
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02074205 push edx; ret	0_2_02074231
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02072A05 push edx; ret	0_2_02072A31
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02071205 push edx; ret	0_2_02071231
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02075A03 push edx; ret	0_2_02075A31
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02076214 push edx; ret	0_2_02076241
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02074A13 push edx; ret	0_2_02074A41
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02073213 push edx; ret	0_2_02073241
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02071A13 push edx; ret	0_2_02071A41
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02070218 push edx; ret	0_2_02070241
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02075225 push edx; ret	0_2_02075251
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02073A24 push edx; ret	0_2_02073A51
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02072224 push edx; ret	0_2_02072251
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02070A24 push edx; ret	0_2_02070A51
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02076A24 push edx; ret	0_2_02076A51
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02074233 push edx; ret	0_2_02074261
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02072A33 push edx; ret	0_2_02072A61
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02071233 push edx; ret	0_2_02071261
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02075A33 push edx; ret	0_2_02075A61
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02074A44 push edx; ret	0_2_02074A71
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02073244 push edx; ret	0_2_02073271
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02071A44 push edx; ret	0_2_02071A71
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02076244 push edx; ret	0_2_02076271
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02070248 push edx; ret	0_2_02070271
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02073A54 push edx; ret	0_2_02073A81
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02072254 push edx; ret	0_2_02072281
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02076A54 push edx; ret	0_2_02076A81
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02075253 push edx; ret	0_2_02075281
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02070A58 push edx; ret	0_2_02070A81

Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D423F	0_2_021D423F
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D5A46	0_2_021D5A46
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D4277	0_2_021D4277
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D4263	0_2_021D4263
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D5A84	0_2_021D5A84
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D2AD6	0_2_021D2AD6
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D2AFD	0_2_021D2AFD
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D33A7	0_2_021D33A7
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D5852	0_2_021D5852
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D78B2	0_2_021D78B2
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D28E2	0_2_021D28E2
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D513E	0_2_021D513E
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D4128	0_2_021D4128
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D3920	0_2_021D3920
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D7EFC	0_2_021D7EFC
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D46E4	0_2_021D46E4
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D1FD9	0_2_021D1FD9
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D045E	0_2_021D045E
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D3C4D	0_2_021D3C4D
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D2470	0_2_021D2470
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D7488	0_2_021D7488
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D7CA5	0_2_021D7CA5
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D8DB4	0_2_021D8DB4

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\F63V4i8eZU.exe	RDTSC instruction interceptor: First address: 00000000021D0182 second address: 00000000021D0182 instructions:
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	RDTSC instruction interceptor: First address: 00000000021D6E61 second address: 00000000021D6E61 instructions:
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	RDTSC instruction interceptor: First address: 00000000021D01B2 second address: 00000000021D01B2 instructions:
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	RDTSC instruction interceptor: First address: 00000000021D78FC second address: 00000000021D790A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pushad 0x0000000b lfence 0x0000000e rdtsc

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\F63V4i8eZU.exe	RDTSC instruction interceptor: First address: 00000000021D0182 second address: 00000000021D0182 instructions:
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	RDTSC instruction interceptor: First address: 00000000021D6E61 second address: 00000000021D6E61 instructions:
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	RDTSC instruction interceptor: First address: 00000000021D01B2 second address: 00000000021D01B2 instructions:
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	RDTSC instruction interceptor: First address: 00000000021D78FC second address: 00000000021D790A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pushad 0x0000000b lfence 0x0000000e rdtsc
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	RDTSC instruction interceptor: First address: 00000000021D790A second address: 00000000021D79F6 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov esi, DCAAA67Fh 0x00000010 test dl, dl 0x00000012 xor esi, F2CCAB26h 0x00000018 test edx, edx 0x0000001a sub esi, 536EBD65h 0x00000020 test bh, ch 0x00000022 xor esi, DAF7BFF4h 0x00000028 test ecx, ecx 0x0000002a test bx, cx 0x0000002d add esi, 00001000h 0x00000033 test bx, ax 0x00000036 cmp cl, dl 0x00000038 cmp bx, dx 0x0000003b mov dword ptr [ebp+000001F8h], FC14852Ch 0x00000045 test ebx, ecx 0x00000047 xor dword ptr [ebp+000001F8h], 83A94D75h 0x00000051 xor dword ptr [ebp+000001F8h], AA3F6E81h 0x0000005b cmp ah, 00000015h 0x0000005e sub dword ptr [ebp+000001F8h], D581B6D8h 0x00000068 cmp esi, dword ptr [ebp+000001F8h] 0x0000006e je 00007F8568CA0D1Ah 0x00000074 mov dword ptr [ebp+00000204h], 67BCF0E4h 0x0000007e xor dword ptr [ebp+00000204h], E457B680h 0x00000088 xor dword ptr [ebp+00000204h], E04C2F31h 0x00000092 xor dword ptr [ebp+00000204h], 1C589955h 0x0000009c cmp ch, dh 0x0000009e cmp esi, dword ptr [ebp+00000204h] 0x000000a4 je 00007F8568CA0CE4h 0x000000aa test cl, dl 0x000000ac mov dword ptr [ebp+00000246h], eax 0x000000b2 mov eax, 03147A97h 0x000000b7 cmp ecx, ecx 0x000000b9 xor eax, 4F08C75Bh 0x000000be cmp cl, al 0x000000c0 sub eax, 1A91E3C1h 0x000000c5 sub eax, 318ADA0Bh 0x000000ca push eax 0x000000cb mov eax, dword ptr [ebp+00000246h] 0x000000d1 cmp bh, ah 0x000000d3 push 25819736h 0x000000d8 sub dword ptr [esp], 3CB652F7h 0x000000df xor dword ptr [esp], 3AF83707h 0x000000e6 pushad 0x000000e7 mov ebx, 000000DBh 0x000000ec rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\F63V4i8eZU.exe

Code function: 0_2_021D423F rdtsc

0_2_021D423F

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\F63V4i8eZU.exe

Process Stats: CPU usage > 90% for more than 60s

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D423F Start: 021D4BE7 End: 021D480D	0_2_021D423F
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D5A46 Start: 021D5BED End: 021D480D	0_2_021D5A46
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D4277 Start: 021D4BE7 End: 021D480D	0_2_021D4277
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D4263 Start: 021D4BE7 End: 021D480D	0_2_021D4263
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D33A7 Start: 021D4BE7 End: 021D480D	0_2_021D33A7
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D5852 Start: 021D4BE7 End: 021D480D	0_2_021D5852
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D513E Start: 021D4BE7 End: 021D480D	0_2_021D513E
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D4128 Start: 021D4BE7 End: 021D480D	0_2_021D4128
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D46E4 Start: 021D4BE7 End: 021D480D	0_2_021D46E4
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D1FD9 Start: 021D4BE7 End: 021D480D	0_2_021D1FD9
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D045E Start: 021D4BE7 End: 021D480D	0_2_021D045E
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D7488 Start: 021D4BE7 End: 021D480D	0_2_021D7488
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D7CA5 Start: 021D4BE7 End: 021D480D	0_2_021D7CA5
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D8DB4 Start: 021D4BE7 End: 021D480D	0_2_021D8DB4

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\F63V4i8eZU.exe

Code function: 0_2_021D423F rdtsc

0_2_021D423F

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D5201 mov eax, dword ptr fs:[00000030h]	0_2_021D5201
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D7365 mov eax, dword ptr fs:[00000030h]	0_2_021D7365
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D33A7 mov eax, dword ptr fs:[00000030h]	0_2_021D33A7
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D33EC mov eax, dword ptr fs:[00000030h]	0_2_021D33EC
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D28E2 mov eax, dword ptr fs:[00000030h]	0_2_021D28E2
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D7EFC mov eax, dword ptr fs:[00000030h]	0_2_021D7EFC
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D348A mov eax, dword ptr fs:[00000030h]	0_2_021D348A
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D6D92 mov eax, dword ptr fs:[00000030h]	0_2_021D6D92

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: F63V4i8eZU.exe, 00000000.00000002.736824672.0000000000C50000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: F63V4i8eZU.exe, 00000000.00000002.736824672.0000000000C50000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: F63V4i8eZU.exe, 00000000.00000002.736824672.0000000000C50000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: F63V4i8eZU.exe, 00000000.00000002.736824672.0000000000C50000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://kinmirai.org/wp-content/bin_QVwo	true	Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: F63V4i8eZU.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "https://kinmirai.org/wp-content/bin_QVwo"}

Multi AV Scanner detection for submitted file

Source: F63V4i8eZU.exe

Virustotal: Detection: 10%

Perma Link

Compliance:

Uses 32bit PE files

Source: F63V4i8eZU.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ISOL.pdb source: F63V4i8eZU.exe

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://kinmirai.org/wp-content/bin_QVwo

Source: F63V4i8eZU.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: F63V4i8eZU.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: F63V4i8eZU.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: F63V4i8eZU.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: F63V4i8eZU.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: F63V4i8eZU.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: F63V4i8eZU.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: F63V4i8eZU.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: F63V4i8eZU.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: F63V4i8eZU.exe	String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\F63V4i8eZU.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D55BB NtAllocateVirtualMemory,	0_2_021D55BB
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D5724 NtAllocateVirtualMemory,	0_2_021D5724
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D55F6 NtAllocateVirtualMemory,	0_2_021D55F6

Detected potential crypto function

Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D55BB	0_2_021D55BB
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D423F	0_2_021D423F
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D8254	0_2_021D8254
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D5A46	0_2_021D5A46
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D4277	0_2_021D4277
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D4263	0_2_021D4263
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D5A84	0_2_021D5A84
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D22D5	0_2_021D22D5
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D2AD6	0_2_021D2AD6
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D2AFD	0_2_021D2AFD
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D5359	0_2_021D5359
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D33A7	0_2_021D33A7
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D33EC	0_2_021D33EC
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D1057	0_2_021D1057
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D5852	0_2_021D5852
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D78B2	0_2_021D78B2
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D48E8	0_2_021D48E8
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D28E2	0_2_021D28E2
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D513E	0_2_021D513E
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D8138	0_2_021D8138
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D4128	0_2_021D4128
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D3920	0_2_021D3920
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D19CC	0_2_021D19CC
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D0618	0_2_021D0618
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D2E2F	0_2_021D2E2F
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D9626	0_2_021D9626
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D8E7C	0_2_021D8E7C
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D968F	0_2_021D968F
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D8ED8	0_2_021D8ED8
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D7EFC	0_2_021D7EFC
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D46E4	0_2_021D46E4
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D8F40	0_2_021D8F40
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D1FD9	0_2_021D1FD9
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D7FF5	0_2_021D7FF5
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D2C5C	0_2_021D2C5C
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D045E	0_2_021D045E
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D3C4D	0_2_021D3C4D
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D2470	0_2_021D2470
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D7488	0_2_021D7488
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D348A	0_2_021D348A
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D7CA5	0_2_021D7CA5
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D84A6	0_2_021D84A6
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D84E9	0_2_021D84E9
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D34EA	0_2_021D34EA
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D3568	0_2_021D3568
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D0584	0_2_021D0584
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D8DB4	0_2_021D8DB4
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D35B0	0_2_021D35B0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D2DA0	0_2_021D2DA0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D25D4	0_2_021D25D4
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D55F6	0_2_021D55F6

PE / OLE file has an invalid certificate

Source: F63V4i8eZU.exe

Static PE information: invalid certificate

PE file contains strange resources

Source: F63V4i8eZU.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: F63V4i8eZU.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: F63V4i8eZU.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: F63V4i8eZU.exe, 00000000.00000002.735395303.0000000000438000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameISOL.exe vs F63V4i8eZU.exe
Source: F63V4i8eZU.exe	Binary or memory string: OriginalFilenameISOL.exe vs F63V4i8eZU.exe

Uses 32bit PE files

Source: F63V4i8eZU.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal88.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\F63V4i8eZU.exe

File created: C:\Users\user\AppData\Local\Temp\~DF8AE4137E60421BDA.TMP

Jump to behavior

Source: F63V4i8eZU.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\F63V4i8eZU.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\F63V4i8eZU.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: F63V4i8eZU.exe

Virustotal: Detection: 10%

Source: F63V4i8eZU.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ISOL.pdb source: F63V4i8eZU.exe

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_00406408 push es; ret	0_2_0040640F
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_00405D8C push es; ret	0_2_00405D8B
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02071833 push edx; ret	0_2_02071861
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02074205 push edx; ret	0_2_02074231
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02072A05 push edx; ret	0_2_02072A31
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02071205 push edx; ret	0_2_02071231
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02075A03 push edx; ret	0_2_02075A31
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02076214 push edx; ret	0_2_02076241
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02074A13 push edx; ret	0_2_02074A41
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02073213 push edx; ret	0_2_02073241
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02071A13 push edx; ret	0_2_02071A41
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02070218 push edx; ret	0_2_02070241
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02075225 push edx; ret	0_2_02075251
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02073A24 push edx; ret	0_2_02073A51
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02072224 push edx; ret	0_2_02072251
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02070A24 push edx; ret	0_2_02070A51
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02076A24 push edx; ret	0_2_02076A51
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02074233 push edx; ret	0_2_02074261
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02072A33 push edx; ret	0_2_02072A61
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02071233 push edx; ret	0_2_02071261
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02075A33 push edx; ret	0_2_02075A61
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02074A44 push edx; ret	0_2_02074A71
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02073244 push edx; ret	0_2_02073271
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02071A44 push edx; ret	0_2_02071A71
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02076244 push edx; ret	0_2_02076271
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02070248 push edx; ret	0_2_02070271
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02073A54 push edx; ret	0_2_02073A81
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02072254 push edx; ret	0_2_02072281
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02076A54 push edx; ret	0_2_02076A81
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02075253 push edx; ret	0_2_02075281
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_02070A58 push edx; ret	0_2_02070A81

Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D423F	0_2_021D423F
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D5A46	0_2_021D5A46
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D4277	0_2_021D4277
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D4263	0_2_021D4263
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D5A84	0_2_021D5A84
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D2AD6	0_2_021D2AD6
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D2AFD	0_2_021D2AFD
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D33A7	0_2_021D33A7
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D5852	0_2_021D5852
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D78B2	0_2_021D78B2
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D28E2	0_2_021D28E2
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D513E	0_2_021D513E
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D4128	0_2_021D4128
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D3920	0_2_021D3920
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D7EFC	0_2_021D7EFC
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D46E4	0_2_021D46E4
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D1FD9	0_2_021D1FD9
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D045E	0_2_021D045E
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D3C4D	0_2_021D3C4D
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D2470	0_2_021D2470
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D7488	0_2_021D7488
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D7CA5	0_2_021D7CA5
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D8DB4	0_2_021D8DB4

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\F63V4i8eZU.exe	RDTSC instruction interceptor: First address: 00000000021D0182 second address: 00000000021D0182 instructions:
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	RDTSC instruction interceptor: First address: 00000000021D6E61 second address: 00000000021D6E61 instructions:
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	RDTSC instruction interceptor: First address: 00000000021D01B2 second address: 00000000021D01B2 instructions:
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	RDTSC instruction interceptor: First address: 00000000021D78FC second address: 00000000021D790A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pushad 0x0000000b lfence 0x0000000e rdtsc

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\F63V4i8eZU.exe	RDTSC instruction interceptor: First address: 00000000021D0182 second address: 00000000021D0182 instructions:
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	RDTSC instruction interceptor: First address: 00000000021D6E61 second address: 00000000021D6E61 instructions:
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	RDTSC instruction interceptor: First address: 00000000021D01B2 second address: 00000000021D01B2 instructions:
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	RDTSC instruction interceptor: First address: 00000000021D78FC second address: 00000000021D790A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pushad 0x0000000b lfence 0x0000000e rdtsc
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	RDTSC instruction interceptor: First address: 00000000021D790A second address: 00000000021D79F6 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov esi, DCAAA67Fh 0x00000010 test dl, dl 0x00000012 xor esi, F2CCAB26h 0x00000018 test edx, edx 0x0000001a sub esi, 536EBD65h 0x00000020 test bh, ch 0x00000022 xor esi, DAF7BFF4h 0x00000028 test ecx, ecx 0x0000002a test bx, cx 0x0000002d add esi, 00001000h 0x00000033 test bx, ax 0x00000036 cmp cl, dl 0x00000038 cmp bx, dx 0x0000003b mov dword ptr [ebp+000001F8h], FC14852Ch 0x00000045 test ebx, ecx 0x00000047 xor dword ptr [ebp+000001F8h], 83A94D75h 0x00000051 xor dword ptr [ebp+000001F8h], AA3F6E81h 0x0000005b cmp ah, 00000015h 0x0000005e sub dword ptr [ebp+000001F8h], D581B6D8h 0x00000068 cmp esi, dword ptr [ebp+000001F8h] 0x0000006e je 00007F8568CA0D1Ah 0x00000074 mov dword ptr [ebp+00000204h], 67BCF0E4h 0x0000007e xor dword ptr [ebp+00000204h], E457B680h 0x00000088 xor dword ptr [ebp+00000204h], E04C2F31h 0x00000092 xor dword ptr [ebp+00000204h], 1C589955h 0x0000009c cmp ch, dh 0x0000009e cmp esi, dword ptr [ebp+00000204h] 0x000000a4 je 00007F8568CA0CE4h 0x000000aa test cl, dl 0x000000ac mov dword ptr [ebp+00000246h], eax 0x000000b2 mov eax, 03147A97h 0x000000b7 cmp ecx, ecx 0x000000b9 xor eax, 4F08C75Bh 0x000000be cmp cl, al 0x000000c0 sub eax, 1A91E3C1h 0x000000c5 sub eax, 318ADA0Bh 0x000000ca push eax 0x000000cb mov eax, dword ptr [ebp+00000246h] 0x000000d1 cmp bh, ah 0x000000d3 push 25819736h 0x000000d8 sub dword ptr [esp], 3CB652F7h 0x000000df xor dword ptr [esp], 3AF83707h 0x000000e6 pushad 0x000000e7 mov ebx, 000000DBh 0x000000ec rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\F63V4i8eZU.exe

Code function: 0_2_021D423F rdtsc

0_2_021D423F

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\F63V4i8eZU.exe

Process Stats: CPU usage > 90% for more than 60s

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D423F Start: 021D4BE7 End: 021D480D	0_2_021D423F
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D5A46 Start: 021D5BED End: 021D480D	0_2_021D5A46
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D4277 Start: 021D4BE7 End: 021D480D	0_2_021D4277
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D4263 Start: 021D4BE7 End: 021D480D	0_2_021D4263
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D33A7 Start: 021D4BE7 End: 021D480D	0_2_021D33A7
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D5852 Start: 021D4BE7 End: 021D480D	0_2_021D5852
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D513E Start: 021D4BE7 End: 021D480D	0_2_021D513E
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D4128 Start: 021D4BE7 End: 021D480D	0_2_021D4128
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D46E4 Start: 021D4BE7 End: 021D480D	0_2_021D46E4
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D1FD9 Start: 021D4BE7 End: 021D480D	0_2_021D1FD9
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D045E Start: 021D4BE7 End: 021D480D	0_2_021D045E
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D7488 Start: 021D4BE7 End: 021D480D	0_2_021D7488
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D7CA5 Start: 021D4BE7 End: 021D480D	0_2_021D7CA5
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D8DB4 Start: 021D4BE7 End: 021D480D	0_2_021D8DB4

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\F63V4i8eZU.exe

Code function: 0_2_021D423F rdtsc

0_2_021D423F

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D5201 mov eax, dword ptr fs:[00000030h]	0_2_021D5201
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D7365 mov eax, dword ptr fs:[00000030h]	0_2_021D7365
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D33A7 mov eax, dword ptr fs:[00000030h]	0_2_021D33A7
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D33EC mov eax, dword ptr fs:[00000030h]	0_2_021D33EC
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D28E2 mov eax, dword ptr fs:[00000030h]	0_2_021D28E2
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D7EFC mov eax, dword ptr fs:[00000030h]	0_2_021D7EFC
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D348A mov eax, dword ptr fs:[00000030h]	0_2_021D348A
Source: C:\Users\user\Desktop\F63V4i8eZU.exe	Code function: 0_2_021D6D92 mov eax, dword ptr fs:[00000030h]	0_2_021D6D92

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: F63V4i8eZU.exe, 00000000.00000002.736824672.0000000000C50000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: F63V4i8eZU.exe, 00000000.00000002.736824672.0000000000C50000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: F63V4i8eZU.exe, 00000000.00000002.736824672.0000000000C50000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: F63V4i8eZU.exe, 00000000.00000002.736824672.0000000000C50000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

ID:	450884
Product:	CloudBasic
Start time:	20:11:12
Start date:	19.07.2021
Sample:	F63V4i8eZU
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	08730cdd286a4c9d46b38bb6545ac311
SHA1:	001bb7b5b8d63e505661d7e4a178d08abe6bbad7
SHA256:	cb2a2537987e45c8461d40a0ec6c24215920519257134db91dd1369ff5abf342
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Windows Analysis Report F63V4i8eZU

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map

Contacted URLs