Loading ...

Play interactive tourEdit tour

Windows Analysis Report SecuriteInfo.com.__vbaHresultCheckObj.11013.25640

Overview

General Information

Sample Name:SecuriteInfo.com.__vbaHresultCheckObj.11013.25640 (renamed file extension from 25640 to exe)
Analysis ID:451415
MD5:c6066a473750ed5ad023d20ce532c8c8
SHA1:b2c181c008fd857b0f0122dbfd05d4193654ccc2
SHA256:932f31e907302148994f479eafe8dfbf203537491bbd586c43190c59afa248ff
Tags:exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://andreameixueiro.com/IRANSAT_Vsidob74.bin"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.__vbaHresultCheckObj.11013.exeJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
      00000001.00000000.653822220.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.0.SecuriteInfo.com.__vbaHresultCheckObj.11013.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
          1.2.SecuriteInfo.com.__vbaHresultCheckObj.11013.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exeMalware Configuration Extractor: GuLoader {"Payload URL": "https://andreameixueiro.com/IRANSAT_Vsidob74.bin"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exeReversingLabs: Detection: 30%
            Machine Learning detection for sampleShow sources
            Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exeJoe Sandbox ML: detected
            Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: https://andreameixueiro.com/IRANSAT_Vsidob74.bin
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeProcess Stats: CPU usage > 98%
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02228274 NtAllocateVirtualMemory,1_2_02228274
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222827B NtAllocateVirtualMemory,1_2_0222827B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02228306 NtAllocateVirtualMemory,1_2_02228306
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022283BF NtAllocateVirtualMemory,1_2_022283BF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222840D NtAllocateVirtualMemory,1_2_0222840D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02228487 NtAllocateVirtualMemory,1_2_02228487
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022282741_2_02228274
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222DE221_2_0222DE22
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02223E261_2_02223E26
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02223E361_2_02223E36
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222CA3F1_2_0222CA3F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222CE001_2_0222CE00
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222EA011_2_0222EA01
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222CA171_2_0222CA17
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222626C1_2_0222626C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02220A711_2_02220A71
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02220A771_2_02220A77
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222827B1_2_0222827B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222DE431_2_0222DE43
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222124F1_2_0222124F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02226E501_2_02226E50
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02221A571_2_02221A57
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222725B1_2_0222725B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222D25D1_2_0222D25D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02227EAB1_2_02227EAB
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02220AB21_2_02220AB2
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02223EB51_2_02223EB5
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022266BD1_2_022266BD
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022216801_2_02221680
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222DE801_2_0222DE80
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02221A891_2_02221A89
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222CE961_2_0222CE96
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222BE971_2_0222BE97
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02226A9C1_2_02226A9C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022232E51_2_022232E5
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022212E91_2_022212E9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02226EEF1_2_02226EEF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222DEF21_2_0222DEF2
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02220ED01_2_02220ED0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222CAD51_2_0222CAD5
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02221B271_2_02221B27
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022263271_2_02226327
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02220B2C1_2_02220B2C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02223B361_2_02223B36
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222DF361_2_0222DF36
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02226B041_2_02226B04
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02227B0E1_2_02227B0E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222171F1_2_0222171F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02223F6F1_2_02223F6F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222E7721_2_0222E772
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222CB771_2_0222CB77
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022267421_2_02226742
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222DF4F1_2_0222DF4F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222C3501_2_0222C350
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222C7501_2_0222C750
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222BF511_2_0222BF51
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022213AA1_2_022213AA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022217BF1_2_022217BF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222C7831_2_0222C783
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222CF8C1_2_0222CF8C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02223B8D1_2_02223B8D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222678D1_2_0222678D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222B7911_2_0222B791
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02226B911_2_02226B91
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02226F9B1_2_02226F9B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222DFE31_2_0222DFE3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022263E71_2_022263E7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022287F01_2_022287F0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02220BC21_2_02220BC2
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222BBCE1_2_0222BBCE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02221BD71_2_02221BD7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02220FDB1_2_02220FDB
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02222BDE1_2_02222BDE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02223C371_2_02223C37
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222143F1_2_0222143F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02226C051_2_02226C05
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222BC081_2_0222BC08
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222C0101_2_0222C010
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222CC1F1_2_0222CC1F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02222C1C1_2_02222C1C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022268661_2_02226866
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222086C1_2_0222086C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022218741_2_02221874
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02220C4A1_2_02220C4A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222C84F1_2_0222C84F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222C4531_2_0222C453
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222305E1_2_0222305E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222705F1_2_0222705F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222C45F1_2_0222C45F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222BCB61_2_0222BCB6
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022230B91_2_022230B9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022210831_2_02221083
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222EC921_2_0222EC92
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022264971_2_02226497
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222E0971_2_0222E097
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02226C951_2_02226C95
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022210EB1_2_022210EB
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022268E91_2_022268E9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022214EF1_2_022214EF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02223CF61_2_02223CF6
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022208FA1_2_022208FA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222C8FB1_2_0222C8FB
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222CCFF1_2_0222CCFF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222CCCB1_2_0222CCCB
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022260D41_2_022260D4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022219251_2_02221925
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02223D331_2_02223D33
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222DD3F1_2_0222DD3F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222DD021_2_0222DD02
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022271041_2_02227104
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222DD0F1_2_0222DD0F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02226D631_2_02226D63
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222DD781_2_0222DD78
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222BD421_2_0222BD42
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02223D431_2_02223D43
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022265451_2_02226545
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222CD551_2_0222CD55
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02225D5F1_2_02225D5F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222D1B11_2_0222D1B1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02223DB61_2_02223DB6
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022271B41_2_022271B4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222DDBB1_2_0222DDBB
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222C9931_2_0222C993
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022269911_2_02226991
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222159A1_2_0222159A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222619D1_2_0222619D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022215E11_2_022215E1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022265ED1_2_022265ED
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02226DFE1_2_02226DFE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222C9FF1_2_0222C9FF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222BDFC1_2_0222BDFC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022219C31_2_022219C3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02223DC91_2_02223DC9
            Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe, 00000001.00000002.1181876551.0000000000435000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameObject.exe vs SecuriteInfo.com.__vbaHresultCheckObj.11013.exe
            Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exeBinary or memory string: OriginalFilenameObject.exe vs SecuriteInfo.com.__vbaHresultCheckObj.11013.exe
            Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: classification engineClassification label: mal88.troj.evad.winEXE@1/0@0/0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeFile created: C:\Users\user\AppData\Local\Temp\~DF934512EC1FF84EF0.TMPJump to behavior
            Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exeReversingLabs: Detection: 30%

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe, type: SAMPLE
            Source: Yara matchFile source: 1.0.SecuriteInfo.com.__vbaHresultCheckObj.11013.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.SecuriteInfo.com.__vbaHresultCheckObj.11013.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000000.653822220.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0040663B push ebp; iretd 1_2_00406645
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222EE10 push esi; retf 1_2_0222EE5B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222EE60 push esi; retf 1_2_0222EE63
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222EE64 push esi; retf 1_2_0222EE67
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222EE68 push esi; retf 1_2_0222EE6B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222EE6C push esi; retf 1_2_0222EE6F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222EE70 push esi; retf 1_2_0222EE73
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222EE74 push esi; retf 1_2_0222EE77
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222EE78 push esi; retf 1_2_0222EE77
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222EE5C push esi; retf 1_2_0222EE5F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222EEAD push esi; retf 1_2_0222EE5B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02228AF9 push ebp; retf 1_2_02228B0F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222EC92 push esi; retf 1_2_0222EE5B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02228274 NtAllocateVirtualMemory,1_2_02228274
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222626C 1_2_0222626C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222124F 1_2_0222124F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02226E50 1_2_02226E50
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222D25D 1_2_0222D25D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022266BD 1_2_022266BD
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02221680 1_2_02221680
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222BE97 1_2_0222BE97
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02226A9C 1_2_02226A9C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022232E5 1_2_022232E5
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022212E9 1_2_022212E9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222D2FF 1_2_0222D2FF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02220ED0 1_2_02220ED0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02226327 1_2_02226327
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02223B36 1_2_02223B36
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02226B04 1_2_02226B04
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222171F 1_2_0222171F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222E772 1_2_0222E772
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02226742 1_2_02226742
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222C350 1_2_0222C350
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222BF51 1_2_0222BF51
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222D3A4 1_2_0222D3A4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022213AA 1_2_022213AA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222D3A8 1_2_0222D3A8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022217BF 1_2_022217BF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02223B8D 1_2_02223B8D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222678D 1_2_0222678D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02226B91 1_2_02226B91
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022263E7 1_2_022263E7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222BBCE 1_2_0222BBCE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02220FDB 1_2_02220FDB
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02223C37 1_2_02223C37
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222143F 1_2_0222143F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02226C05 1_2_02226C05
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222BC08 1_2_0222BC08
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222C010 1_2_0222C010
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02226866 1_2_02226866
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222086C 1_2_0222086C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222B846 1_2_0222B846
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222BCB6 1_2_0222BCB6
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02221083 1_2_02221083
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02226497 1_2_02226497
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02226C95 1_2_02226C95
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022210EB 1_2_022210EB
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022268E9 1_2_022268E9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022214EF 1_2_022214EF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02223CF6 1_2_02223CF6
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022208FA 1_2_022208FA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022260D4 1_2_022260D4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02223D33 1_2_02223D33
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02226D63 1_2_02226D63
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222BD42 1_2_0222BD42
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02223D43 1_2_02223D43
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02226545 1_2_02226545
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02225D5F 1_2_02225D5F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222D1B1 1_2_0222D1B1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02226991 1_2_02226991
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222159A 1_2_0222159A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222619D 1_2_0222619D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022215E1 1_2_022215E1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_022265ED 1_2_022265ED
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02226DFE 1_2_02226DFE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222BDFC 1_2_0222BDFC
            Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeRDTSC instruction interceptor: First address: 000000000222B3DF second address: 000000000222B409 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor edx, AD6145DAh 0x00000010 cmp bh, dh 0x00000012 test bh, ah 0x00000014 xor edx, 12B119F7h 0x0000001a test bx, dx 0x0000001d cmp ecx, ecx 0x0000001f xor edx, D2104AFFh 0x00000025 test ebx, edx 0x00000027 mov ebx, edx 0x00000029 pushad 0x0000002a rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeRDTSC instruction interceptor: First address: 000000000222B409 second address: 000000000222B409 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a shl edx, 05h 0x0000000d add edx, ebx 0x0000000f movzx ebx, byte ptr [esi] 0x00000012 cmp bh, dh 0x00000014 add edx, ebx 0x00000016 xor edx, 09D23C6Ah 0x0000001c jmp 00007F0104364A0Eh 0x0000001e push ss 0x0000001f pop ss 0x00000020 jmp 00007F0104364A09h 0x00000022 add esi, 02h 0x00000025 mov word ptr [ebp+00000271h], bx 0x0000002c mov bx, word ptr [esi] 0x0000002f cmp bx, 0000h 0x00000033 mov bx, word ptr [ebp+00000271h] 0x0000003a jne 00007F0104364950h 0x00000040 mov ebx, edx 0x00000042 pushad 0x00000043 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeRDTSC instruction interceptor: First address: 000000000222B3B8 second address: 000000000222B3B8 instructions:
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeRDTSC instruction interceptor: First address: 000000000222E29D second address: 000000000222E29D instructions:
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeRDTSC instruction interceptor: First address: 000000000222C060 second address: 000000000222C075 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov edx, 9D78574Ah 0x0000000f pushad 0x00000010 mov edx, 000000F5h 0x00000015 rdtsc
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeRDTSC instruction interceptor: First address: 000000000222B3DF second address: 000000000222B409 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor edx, AD6145DAh 0x00000010 cmp bh, dh 0x00000012 test bh, ah 0x00000014 xor edx, 12B119F7h 0x0000001a test bx, dx 0x0000001d cmp ecx, ecx 0x0000001f xor edx, D2104AFFh 0x00000025 test ebx, edx 0x00000027 mov ebx, edx 0x00000029 pushad 0x0000002a rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeRDTSC instruction interceptor: First address: 000000000222B409 second address: 000000000222B409 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a shl edx, 05h 0x0000000d add edx, ebx 0x0000000f movzx ebx, byte ptr [esi] 0x00000012 cmp bh, dh 0x00000014 add edx, ebx 0x00000016 xor edx, 09D23C6Ah 0x0000001c jmp 00007F0104364A0Eh 0x0000001e push ss 0x0000001f pop ss 0x00000020 jmp 00007F0104364A09h 0x00000022 add esi, 02h 0x00000025 mov word ptr [ebp+00000271h], bx 0x0000002c mov bx, word ptr [esi] 0x0000002f cmp bx, 0000h 0x00000033 mov bx, word ptr [ebp+00000271h] 0x0000003a jne 00007F0104364950h 0x00000040 mov ebx, edx 0x00000042 pushad 0x00000043 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeRDTSC instruction interceptor: First address: 000000000222B3B8 second address: 000000000222B3B8 instructions:
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeRDTSC instruction interceptor: First address: 000000000222E29D second address: 000000000222E29D instructions:
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeRDTSC instruction interceptor: First address: 000000000222C060 second address: 000000000222C075 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov edx, 9D78574Ah 0x0000000f pushad 0x00000010 mov edx, 000000F5h 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeRDTSC instruction interceptor: First address: 000000000222C075 second address: 000000000222C0A1 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 xor edx, 2F78EC29h 0x00000009 xor edx, 66DC7D09h 0x0000000f cmp cx, cx 0x00000012 cmp bx, cx 0x00000015 add edx, 2B23399Ah 0x0000001b cmp bl, bl 0x0000001d cmp dword ptr [edi+14h], edx 0x00000020 mov edx, dword ptr [ebp+000001CDh] 0x00000026 je 00007F01043649F6h 0x00000028 pushad 0x00000029 lfence 0x0000002c rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeRDTSC instruction interceptor: First address: 000000000222C0A1 second address: 000000000222BD95 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b jmp 00007F0104E2E8B8h 0x00000010 jmp 00007F0104E2ECE2h 0x00000012 cmp bx, bx 0x00000015 add esi, 00001000h 0x0000001b test bh, ah 0x0000001d test ch, ch 0x0000001f mov dword ptr [ebp+000001CEh], esi 0x00000025 mov esi, D1CB123Dh 0x0000002a test ax, bx 0x0000002d xor esi, 9D079601h 0x00000033 cmp bl, al 0x00000035 xor esi, 6EEE3B7Fh 0x0000003b test ax, ax 0x0000003e sub esi, 2221CF43h 0x00000044 test bl, bl 0x00000046 cmp dword ptr [ebp+000001CEh], esi 0x0000004c mov esi, dword ptr [ebp+000001CEh] 0x00000052 je 00007F0104E2F5D7h 0x00000058 test ah, ch 0x0000005a test ax, 00005041h 0x0000005e mov dword ptr [ebp+00000218h], esi 0x00000064 cmp cl, FFFFFFB9h 0x00000067 mov esi, 1CDCD8D0h 0x0000006c jmp 00007F0104E2ECE6h 0x0000006e test bx, cx 0x00000071 cmp edx, ecx 0x00000073 xor esi, 8DEA0809h 0x00000079 test edi, 1851CFE8h 0x0000007f cmp ch, bh 0x00000081 xor esi, 46C5E00Dh 0x00000087 pushad 0x00000088 mov ebx, 000000B2h 0x0000008d rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02228274 rdtsc 1_2_02228274
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

            Anti Debugging:

            barindex
            Found potential dummy code loops (likely to delay analysis)Show sources
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeProcess Stats: CPU usage > 90% for more than 60s
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02228274 rdtsc 1_2_02228274
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222AA71 mov eax, dword ptr fs:[00000030h]1_2_0222AA71
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222B2B6 mov eax, dword ptr fs:[00000030h]1_2_0222B2B6
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222C350 mov eax, dword ptr fs:[00000030h]1_2_0222C350
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222C750 mov eax, dword ptr fs:[00000030h]1_2_0222C750
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222C783 mov eax, dword ptr fs:[00000030h]1_2_0222C783
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_02227C90 mov eax, dword ptr fs:[00000030h]1_2_02227C90
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe, 00000001.00000002.1185657895.0000000000CE0000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe, 00000001.00000002.1185657895.0000000000CE0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe, 00000001.00000002.1185657895.0000000000CE0000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe, 00000001.00000002.1185657895.0000000000CE0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCode function: 1_2_0222B4B5 cpuid 1_2_0222B4B5

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery41Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery311Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

            Behavior Graph

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.