Windows Analysis Report 41609787.exe

Overview

General Information

Sample Name: 41609787.exe
Analysis ID: 452431
MD5: 242fb5498503fdae24861ca26f762745
SHA1: e45e4180137ea7c9d81f127fac0af48cf3b4e8d7
SHA256: 7984d85806d611e8d7e3ec5640186ebce9b1daccbd07a4bbda0fc6e0e5666299
Infos:

Most interesting Screenshot:

Detection

GuLoader Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
GuLoader behavior detected
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Installs a global keyboard hook
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://smokeadmsend.online/loade"}
Multi AV Scanner detection for domain / URL
Source: databasepropersonombrecomercialideasearchwords.services Virustotal: Detection: 11% Perma Link
Yara detected Remcos RAT
Source: Yara match File source: 0000001B.00000002.726106922.00000000032B5000.00000004.00000020.sdmp, type: MEMORY

Compliance:

barindex
Uses 32bit PE files
Source: 41609787.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 198.54.115.48:443 -> 192.168.2.3:49752 version: TLS 1.2

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://smokeadmsend.online/loade
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49753 -> 186.169.69.166:2508
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: COLOMBIATELECOMUNICACIONESSAESPCO COLOMBIATELECOMUNICACIONESSAESPCO
Source: Joe Sandbox View ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown DNS traffic detected: queries for: smokeadmsend.online
Source: ieinstal.exe, 0000001B.00000002.725990141.00000000031E0000.00000004.00000001.sdmp String found in binary or memory: https://smokeadmsend.online/loader/1ArmadaNac1copia_YCusoPusF143.bin
Source: ieinstal.exe, 0000001B.00000002.725990141.00000000031E0000.00000004.00000001.sdmp String found in binary or memory: https://smokeadmsend.online/loader/1ArmadaNac1copia_YCusoPusF143.binwininet.dllMozilla/5.0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown HTTPS traffic detected: 198.54.115.48:443 -> 192.168.2.3:49752 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a global keyboard hook
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Windows user hook set: 0 keyboard low level C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior

E-Banking Fraud:

barindex
Yara detected Remcos RAT
Source: Yara match File source: 0000001B.00000002.726106922.00000000032B5000.00000004.00000020.sdmp, type: MEMORY

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\41609787.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021107A1 NtSetInformationThread, 0_2_021107A1
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021013C1 NtWriteVirtualMemory,TerminateProcess, 0_2_021013C1
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02110176 NtProtectVirtualMemory, 0_2_02110176
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107E15 NtWriteVirtualMemory, 0_2_02107E15
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02108607 NtWriteVirtualMemory, 0_2_02108607
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210720B NtWriteVirtualMemory, 0_2_0210720B
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210762B NtWriteVirtualMemory, 0_2_0210762B
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210825E NtWriteVirtualMemory, 0_2_0210825E
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02108677 NtWriteVirtualMemory, 0_2_02108677
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107A95 NtWriteVirtualMemory, 0_2_02107A95
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210669A NtWriteVirtualMemory,LoadLibraryA, 0_2_0210669A
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210829B NtWriteVirtualMemory, 0_2_0210829B
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210728B NtWriteVirtualMemory, 0_2_0210728B
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107EA3 NtWriteVirtualMemory, 0_2_02107EA3
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021076E5 NtWriteVirtualMemory, 0_2_021076E5
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02108703 NtWriteVirtualMemory, 0_2_02108703
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107305 NtWriteVirtualMemory, 0_2_02107305
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02105F21 NtWriteVirtualMemory, 0_2_02105F21
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02108324 NtWriteVirtualMemory, 0_2_02108324
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107F2C NtWriteVirtualMemory, 0_2_02107F2C
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107B2D NtWriteVirtualMemory, 0_2_02107B2D
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107381 NtWriteVirtualMemory, 0_2_02107381
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107FB3 NtWriteVirtualMemory, 0_2_02107FB3
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021083B7 NtWriteVirtualMemory, 0_2_021083B7
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107BC0 NtWriteVirtualMemory, 0_2_02107BC0
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021077EF NtWriteVirtualMemory, 0_2_021077EF
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210741B NtWriteVirtualMemory, 0_2_0210741B
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107801 NtWriteVirtualMemory, 0_2_02107801
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210843F NtWriteVirtualMemory, 0_2_0210843F
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210802F NtWriteVirtualMemory, 0_2_0210802F
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107C4F NtWriteVirtualMemory, 0_2_02107C4F
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107879 NtWriteVirtualMemory, 0_2_02107879
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210749C NtWriteVirtualMemory, 0_2_0210749C
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021070AF NtWriteVirtualMemory, 0_2_021070AF
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021084D1 NtWriteVirtualMemory, 0_2_021084D1
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021080C7 NtWriteVirtualMemory, 0_2_021080C7
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107CE5 NtWriteVirtualMemory, 0_2_02107CE5
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210711D NtWriteVirtualMemory, 0_2_0210711D
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107903 NtWriteVirtualMemory, 0_2_02107903
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02103D32 NtWriteVirtualMemory, 0_2_02103D32
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210813C NtWriteVirtualMemory, 0_2_0210813C
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107529 NtWriteVirtualMemory, 0_2_02107529
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210794C NtWriteVirtualMemory, 0_2_0210794C
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107D6B NtWriteVirtualMemory, 0_2_02107D6B
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107191 NtWriteVirtualMemory, 0_2_02107191
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210799F NtWriteVirtualMemory, 0_2_0210799F
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107DB4 NtWriteVirtualMemory, 0_2_02107DB4
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021081A7 NtWriteVirtualMemory, 0_2_021081A7
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021075A9 NtWriteVirtualMemory, 0_2_021075A9
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107DF5 NtWriteVirtualMemory, 0_2_02107DF5
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021081FF NtWriteVirtualMemory, 0_2_021081FF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_03011587 LdrInitializeThunk,Sleep,LdrInitializeThunk,NtProtectVirtualMemory, 27_2_03011587
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_030116CC NtProtectVirtualMemory, 27_2_030116CC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_0301156F LdrInitializeThunk,Sleep,LdrInitializeThunk,NtProtectVirtualMemory, 27_2_0301156F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_03011687 NtProtectVirtualMemory,NtProtectVirtualMemory, 27_2_03011687
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_0301174E NtProtectVirtualMemory, 27_2_0301174E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_030116D3 NtProtectVirtualMemory, 27_2_030116D3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_030117D3 NtProtectVirtualMemory, 27_2_030117D3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_030115E3 LdrInitializeThunk,NtProtectVirtualMemory, 27_2_030115E3
Detected potential crypto function
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_004014F0 0_2_004014F0
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210EB03 0_2_0210EB03
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021107A1 0_2_021107A1
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021013C1 0_2_021013C1
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02109130 0_2_02109130
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107E15 0_2_02107E15
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02106A1F 0_2_02106A1F
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210720B 0_2_0210720B
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02101E3A 0_2_02101E3A
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02101629 0_2_02101629
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210362A 0_2_0210362A
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210222A 0_2_0210222A
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210762B 0_2_0210762B
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02101A2F 0_2_02101A2F
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02104651 0_2_02104651
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02102259 0_2_02102259
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210825E 0_2_0210825E
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02100E47 0_2_02100E47
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107A95 0_2_02107A95
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210169A 0_2_0210169A
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210669A 0_2_0210669A
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210829B 0_2_0210829B
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210728B 0_2_0210728B
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02101AB7 0_2_02101AB7
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107EA3 0_2_02107EA3
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02104AAD 0_2_02104AAD
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02100EDB 0_2_02100EDB
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021022DF 0_2_021022DF
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02101EC4 0_2_02101EC4
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021046FB 0_2_021046FB
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021076E5 0_2_021076E5
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02101715 0_2_02101715
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02108703 0_2_02108703
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107305 0_2_02107305
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02104730 0_2_02104730
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02101B37 0_2_02101B37
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02101F3F 0_2_02101F3F
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02105F21 0_2_02105F21
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02108324 0_2_02108324
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107F2C 0_2_02107F2C
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107B2D 0_2_02107B2D
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210032F 0_2_0210032F
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02102359 0_2_02102359
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02100F79 0_2_02100F79
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02101F93 0_2_02101F93
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210179F 0_2_0210179F
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107381 0_2_02107381
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02101387 0_2_02101387
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107FB3 0_2_02107FB3
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021083B7 0_2_021083B7
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02101BBD 0_2_02101BBD
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02109BD1 0_2_02109BD1
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107BC0 0_2_02107BC0
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02106BC7 0_2_02106BC7
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02101FF6 0_2_02101FF6
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021023EA 0_2_021023EA
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02100FEF 0_2_02100FEF
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021077EF 0_2_021077EF
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02101819 0_2_02101819
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210741B 0_2_0210741B
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107801 0_2_02107801
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02104802 0_2_02104802
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210D404 0_2_0210D404
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02106C0F 0_2_02106C0F
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02101C37 0_2_02101C37
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02106C37 0_2_02106C37
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210843F 0_2_0210843F
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210EC2A 0_2_0210EC2A
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210802F 0_2_0210802F
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02103053 0_2_02103053
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02102043 0_2_02102043
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107C4F 0_2_02107C4F
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02106472 0_2_02106472
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107879 0_2_02107879
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210107F 0_2_0210107F
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210146D 0_2_0210146D
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02101890 0_2_02101890
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210749C 0_2_0210749C
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02104880 0_2_02104880
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021024A7 0_2_021024A7
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021064AF 0_2_021064AF
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021070AF 0_2_021070AF
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021084D1 0_2_021084D1
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021080C7 0_2_021080C7
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021060CB 0_2_021060CB
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02106CE1 0_2_02106CE1
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107CE5 0_2_02107CE5
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02104914 0_2_02104914
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02101918 0_2_02101918
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210451B 0_2_0210451B
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210711D 0_2_0210711D
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02101503 0_2_02101503
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107903 0_2_02107903
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02103D32 0_2_02103D32
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02101934 0_2_02101934
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210813C 0_2_0210813C
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107529 0_2_02107529
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210794C 0_2_0210794C
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210B962 0_2_0210B962
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107D6B 0_2_02107D6B
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02101591 0_2_02101591
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107191 0_2_02107191
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210699F 0_2_0210699F
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210799F 0_2_0210799F
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02106D85 0_2_02106D85
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107DB4 0_2_02107DB4
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02101DB7 0_2_02101DB7
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210D5B8 0_2_0210D5B8
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210F9A3 0_2_0210F9A3
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021081A7 0_2_021081A7
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021075A9 0_2_021075A9
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021055AB 0_2_021055AB
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021019AF 0_2_021019AF
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021069D9 0_2_021069D9
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021021DF 0_2_021021DF
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210B1C3 0_2_0210B1C3
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02100DF1 0_2_02100DF1
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107DF5 0_2_02107DF5
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021081FF 0_2_021081FF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_0301136D 27_2_0301136D
PE file contains strange resources
Source: 41609787.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: 41609787.exe, 00000000.00000002.669348751.0000000000427000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameImpennate7.exe vs 41609787.exe
Source: 41609787.exe Binary or memory string: OriginalFilenameImpennate7.exe vs 41609787.exe
Uses 32bit PE files
Source: 41609787.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@8/2@3/2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File created: C:\Users\user\AppData\Roaming\Runtime2021 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Mutant created: \Sessions\1\BaseNamedObjects\RemcosLEG-0OFGX3
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5156:120:WilError_01
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File created: C:\Users\user\AppData\Local\Temp\posekiggerne Jump to behavior
Source: 41609787.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\41609787.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\41609787.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\41609787.exe 'C:\Users\user\Desktop\41609787.exe'
Source: C:\Users\user\Desktop\41609787.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\41609787.exe'
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process created: C:\Windows\SysWOW64\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Source: C:\Users\user\Desktop\41609787.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\41609787.exe' Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process created: C:\Windows\SysWOW64\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02061774 push edx; ret 0_2_020617A1
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02064205 push edx; ret 0_2_02064231
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02062A05 push edx; ret 0_2_02062A31
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02061205 push edx; ret 0_2_02061231
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02065A03 push edx; ret 0_2_02065A31
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02066214 push edx; ret 0_2_02066241
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02064A13 push edx; ret 0_2_02064A41
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02063213 push edx; ret 0_2_02063241
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02061A13 push edx; ret 0_2_02061A41
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02060218 push edx; ret 0_2_02060241
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02063A24 push edx; ret 0_2_02063A51
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02062224 push edx; ret 0_2_02062251
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02060A24 push edx; ret 0_2_02060A51
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02066A24 push edx; ret 0_2_02066A51
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02065225 push edx; ret 0_2_02065251
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02064233 push edx; ret 0_2_02064261
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02062A33 push edx; ret 0_2_02062A61
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02061233 push edx; ret 0_2_02061261
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02065A33 push edx; ret 0_2_02065A61
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02064A44 push edx; ret 0_2_02064A71
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02063244 push edx; ret 0_2_02063271
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02061A44 push edx; ret 0_2_02061A71
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02066244 push edx; ret 0_2_02066271
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02060248 push edx; ret 0_2_02060271
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02063A54 push edx; ret 0_2_02063A81
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02062254 push edx; ret 0_2_02062281
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02066A54 push edx; ret 0_2_02066A81
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02065253 push edx; ret 0_2_02065281
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02060A58 push edx; ret 0_2_02060A81
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02065A64 push edx; ret 0_2_02065A91
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02064263 push edx; ret 0_2_02064291
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SPINTOS Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SPINTOS Jump to behavior
Source: C:\Users\user\Desktop\41609787.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021013C1 NtWriteVirtualMemory,TerminateProcess, 0_2_021013C1
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107E15 NtWriteVirtualMemory, 0_2_02107E15
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210720B NtWriteVirtualMemory, 0_2_0210720B
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210222A 0_2_0210222A
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210762B NtWriteVirtualMemory, 0_2_0210762B
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02104651 0_2_02104651
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02102259 TerminateProcess, 0_2_02102259
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107A95 NtWriteVirtualMemory, 0_2_02107A95
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210669A NtWriteVirtualMemory,LoadLibraryA, 0_2_0210669A
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210728B NtWriteVirtualMemory, 0_2_0210728B
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107EA3 NtWriteVirtualMemory, 0_2_02107EA3
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021022DF 0_2_021022DF
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021076E5 NtWriteVirtualMemory, 0_2_021076E5
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107305 NtWriteVirtualMemory, 0_2_02107305
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02105F21 NtWriteVirtualMemory, 0_2_02105F21
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107F2C NtWriteVirtualMemory, 0_2_02107F2C
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107B2D NtWriteVirtualMemory, 0_2_02107B2D
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210032F LdrInitializeThunk, 0_2_0210032F
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02102359 0_2_02102359
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107381 NtWriteVirtualMemory, 0_2_02107381
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107FB3 NtWriteVirtualMemory, 0_2_02107FB3
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107BC0 NtWriteVirtualMemory, 0_2_02107BC0
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021023EA 0_2_021023EA
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021077EF NtWriteVirtualMemory, 0_2_021077EF
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210741B NtWriteVirtualMemory, 0_2_0210741B
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107801 NtWriteVirtualMemory, 0_2_02107801
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107C4F NtWriteVirtualMemory, 0_2_02107C4F
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107879 NtWriteVirtualMemory, 0_2_02107879
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210749C NtWriteVirtualMemory, 0_2_0210749C
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021024A7 0_2_021024A7
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021070AF NtWriteVirtualMemory, 0_2_021070AF
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107CE5 NtWriteVirtualMemory, 0_2_02107CE5
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210451B 0_2_0210451B
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210711D NtWriteVirtualMemory, 0_2_0210711D
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107903 NtWriteVirtualMemory, 0_2_02107903
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02103D32 NtWriteVirtualMemory, 0_2_02103D32
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107529 NtWriteVirtualMemory, 0_2_02107529
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210794C NtWriteVirtualMemory, 0_2_0210794C
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107D6B NtWriteVirtualMemory, 0_2_02107D6B
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107191 NtWriteVirtualMemory, 0_2_02107191
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210799F NtWriteVirtualMemory, 0_2_0210799F
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107DB4 NtWriteVirtualMemory, 0_2_02107DB4
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021075A9 NtWriteVirtualMemory, 0_2_021075A9
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021021DF TerminateProcess, 0_2_021021DF
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02107DF5 NtWriteVirtualMemory, 0_2_02107DF5
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\41609787.exe RDTSC instruction interceptor: First address: 000000000210047C second address: 000000000210047C instructions:
Tries to detect Any.run
Source: C:\Users\user\Desktop\41609787.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\41609787.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 41609787.exe, 00000000.00000002.669638225.00000000020E0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32MSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLL
Source: 41609787.exe, 00000000.00000002.669638225.00000000020E0000.00000004.00000001.sdmp, ieinstal.exe, 0000001B.00000002.725990141.00000000031E0000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: ieinstal.exe, 0000001B.00000002.725990141.00000000031E0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32MSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=\OPTRNER.EXE\POSEKIGGERNESOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSPINTOSHTTPS://SMOKEADMSEND.ONLINE/LOADER/1ARMADANAC1COPIA_YCUSOPUSF143.BINWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\41609787.exe RDTSC instruction interceptor: First address: 000000000210047C second address: 000000000210047C instructions:
Source: C:\Users\user\Desktop\41609787.exe RDTSC instruction interceptor: First address: 000000000210DA09 second address: 000000000210DA09 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add esi, 02h 0x00000006 mov word ptr [ebp+00000176h], ax 0x0000000d mov ax, word ptr [esi] 0x00000010 cmp ax, 0000h 0x00000014 mov ax, word ptr [ebp+00000176h] 0x0000001b jne 00007F5CC09CC9EFh 0x0000001d mov ebx, edx 0x0000001f shl edx, 05h 0x00000022 add edx, ebx 0x00000024 movzx ebx, byte ptr [esi] 0x00000027 add edx, ebx 0x00000029 xor edx, 19974490h 0x0000002f jmp 00007F5CC09CCA9Eh 0x00000031 pushad 0x00000032 mov edx, 0000000Dh 0x00000037 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021107A1 rdtsc 0_2_021107A1
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Window / User API: threadDelayed 1353 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\41609787.exe API coverage: 9.9 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 1936 Thread sleep count: 1353 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Last function: Thread delayed
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread sleep count: Count: 1353 delay: -5 Jump to behavior
Source: ieinstal.exe, 0000001B.00000002.725990141.00000000031E0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32Msi.dllPublishershell32advapi32TEMP=\optrner.exe\posekiggerneSoftware\Microsoft\Windows\CurrentVersion\RunSPINTOShttps://smokeadmsend.online/loader/1ArmadaNac1copia_YCusoPusF143.binwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: reg.exe, 0000001F.00000002.669516417.00000000008C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: 41609787.exe, 00000000.00000002.669638225.00000000020E0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32Msi.dllPublishershell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dll
Source: reg.exe, 0000001F.00000002.669516417.00000000008C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: 41609787.exe, 00000000.00000002.669638225.00000000020E0000.00000004.00000001.sdmp, ieinstal.exe, 0000001B.00000002.725990141.00000000031E0000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: reg.exe, 0000001F.00000002.669516417.00000000008C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: reg.exe, 0000001F.00000002.669516417.00000000008C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\41609787.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\41609787.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021107A1 rdtsc 0_2_021107A1
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210A907 LdrInitializeThunk, 0_2_0210A907
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210EB03 mov eax, dword ptr fs:[00000030h] 0_2_0210EB03
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210CE1B mov eax, dword ptr fs:[00000030h] 0_2_0210CE1B
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_02105F21 mov eax, dword ptr fs:[00000030h] 0_2_02105F21
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210943A mov eax, dword ptr fs:[00000030h] 0_2_0210943A
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_0210D822 mov eax, dword ptr fs:[00000030h] 0_2_0210D822
Source: C:\Users\user\Desktop\41609787.exe Code function: 0_2_021055AB mov eax, dword ptr fs:[00000030h] 0_2_021055AB

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\41609787.exe Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 3000000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\41609787.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\41609787.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f Jump to behavior
Source: ieinstal.exe, 0000001B.00000002.726234403.0000000003800000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: ieinstal.exe, 0000001B.00000002.726234403.0000000003800000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: ieinstal.exe, 0000001B.00000002.726234403.0000000003800000.00000002.00000001.sdmp Binary or memory string: Progman
Source: xlogs201.dat.27.dr Binary or memory string: [ Program Manager ]
Source: ieinstal.exe, 0000001B.00000002.726234403.0000000003800000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior

Stealing of Sensitive Information:

barindex
GuLoader behavior detected
Source: Initial file Signature Results: GuLoader behavior
Yara detected Remcos RAT
Source: Yara match File source: 0000001B.00000002.726106922.00000000032B5000.00000004.00000020.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Remcos RAT
Source: Yara match File source: 0000001B.00000002.726106922.00000000032B5000.00000004.00000020.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 452431 Sample: 41609787.exe Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 25 Multi AV Scanner detection for domain / URL 2->25 27 Found malware configuration 2->27 29 GuLoader behavior detected 2->29 31 4 other signatures 2->31 8 41609787.exe 1 2->8         started        process3 signatures4 33 Contains functionality to detect hardware virtualization (CPUID execution measurement) 8->33 35 Writes to foreign memory regions 8->35 37 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 8->37 39 3 other signatures 8->39 11 ieinstal.exe 3 11 8->11         started        process5 dnsIp6 21 smokeadmsend.online 198.54.115.48, 443, 49752 NAMECHEAP-NETUS United States 11->21 23 databasepropersonombrecomercialideasearchwords.services 186.169.69.166, 2508 COLOMBIATELECOMUNICACIONESSAESPCO Colombia 11->23 41 Tries to detect Any.run 11->41 43 Hides threads from debuggers 11->43 45 Installs a global keyboard hook 11->45 15 cmd.exe 1 11->15         started        signatures7 process8 process9 17 conhost.exe 15->17         started        19 reg.exe 1 15->19         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
186.169.69.166
 databasepropersonombrecomercialideasearchwords.services Colombia
3816 COLOMBIATELECOMUNICACIONESSAESPCO true
198.54.115.48
 smokeadmsend.online United States
22612 NAMECHEAP-NETUS true

Contacted Domains

Name IP Active
smokeadmsend.online 198.54.115.48 true
databasepropersonombrecomercialideasearchwords.services 186.169.69.166 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://smokeadmsend.online/loade true
  • Avira URL Cloud: safe
 unknown