Windows Analysis Report MWSW9nxmUK

Overview

General Information

Sample Name: MWSW9nxmUK (renamed file extension from none to exe)
Analysis ID: 452531
MD5: c937fc9ed4325e6ab24d49a3175f3a5c
SHA1: 00439295920e78ecac31d1dbf7eb67118d76299a
SHA256: d54cafc1ca36d0ddd134f53d033ebbaaa490721d62d4168106a9b6c7cfa200ba
Tags: 32exetrojan
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
PE / OLE file has an invalid certificate
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://kinmirai.org/wp-content/bin_inUIdCgQk163.bin"}
Multi AV Scanner detection for submitted file
Source: MWSW9nxmUK.exe Virustotal: Detection: 44% Perma Link
Source: MWSW9nxmUK.exe ReversingLabs: Detection: 42%

Compliance:

barindex
Uses 32bit PE files
Source: MWSW9nxmUK.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Interrup.pdb source: MWSW9nxmUK.exe

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://kinmirai.org/wp-content/bin_inUIdCgQk163.bin
Source: MWSW9nxmUK.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: MWSW9nxmUK.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: MWSW9nxmUK.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: MWSW9nxmUK.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: MWSW9nxmUK.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: MWSW9nxmUK.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: MWSW9nxmUK.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: MWSW9nxmUK.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: MWSW9nxmUK.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: MWSW9nxmUK.exe String found in binary or memory: https://www.digicert.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: MWSW9nxmUK.exe, 00000000.00000002.737092778.00000000007BA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD543B NtAllocateVirtualMemory, 0_2_02BD543B
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD5540 NtAllocateVirtualMemory, 0_2_02BD5540
Detected potential crypto function
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD543B 0_2_02BD543B
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD3684 0_2_02BD3684
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD3ED8 0_2_02BD3ED8
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD42C0 0_2_02BD42C0
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD163B 0_2_02BD163B
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD322C 0_2_02BD322C
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD2228 0_2_02BD2228
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD1A21 0_2_02BD1A21
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD3A18 0_2_02BD3A18
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD421B 0_2_02BD421B
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD1A78 0_2_02BD1A78
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD3A69 0_2_02BD3A69
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD3259 0_2_02BD3259
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD87BC 0_2_02BD87BC
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD6FAF 0_2_02BD6FAF
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD27A4 0_2_02BD27A4
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD7BA4 0_2_02BD7BA4
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD47A2 0_2_02BD47A2
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD23FF 0_2_02BD23FF
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD0BDC 0_2_02BD0BDC
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD47C8 0_2_02BD47C8
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD6B35 0_2_02BD6B35
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD832E 0_2_02BD832E
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD3325 0_2_02BD3325
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD4712 0_2_02BD4712
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD770F 0_2_02BD770F
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD2379 0_2_02BD2379
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD6B7B 0_2_02BD6B7B
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD475F 0_2_02BD475F
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD7F4E 0_2_02BD7F4E
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD80A4 0_2_02BD80A4
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD28A0 0_2_02BD28A0
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD048D 0_2_02BD048D
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD0889 0_2_02BD0889
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD80EF 0_2_02BD80EF
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD48E9 0_2_02BD48E9
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD38D1 0_2_02BD38D1
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD80C6 0_2_02BD80C6
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD0CC3 0_2_02BD0CC3
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD8C36 0_2_02BD8C36
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD2C2A 0_2_02BD2C2A
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD841E 0_2_02BD841E
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD7077 0_2_02BD7077
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD4860 0_2_02BD4860
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD2455 0_2_02BD2455
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD0C54 0_2_02BD0C54
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD0C4C 0_2_02BD0C4C
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD8C42 0_2_02BD8C42
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD15BD 0_2_02BD15BD
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD05B1 0_2_02BD05B1
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD3D84 0_2_02BD3D84
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD7D3E 0_2_02BD7D3E
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD3D2C 0_2_02BD3D2C
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD2518 0_2_02BD2518
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD0916 0_2_02BD0916
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD4912 0_2_02BD4912
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD5908 0_2_02BD5908
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD4105 0_2_02BD4105
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD7D06 0_2_02BD7D06
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD517E 0_2_02BD517E
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD0147 0_2_02BD0147
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD5D43 0_2_02BD5D43
PE / OLE file has an invalid certificate
Source: MWSW9nxmUK.exe Static PE information: invalid certificate
PE file contains strange resources
Source: MWSW9nxmUK.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MWSW9nxmUK.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MWSW9nxmUK.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: MWSW9nxmUK.exe, 00000000.00000002.735306594.0000000000435000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameInterrup.exe vs MWSW9nxmUK.exe
Source: MWSW9nxmUK.exe Binary or memory string: OriginalFilenameInterrup.exe vs MWSW9nxmUK.exe
Uses 32bit PE files
Source: MWSW9nxmUK.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal84.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe File created: C:\Users\user\AppData\Local\Temp\~DF9A0B27BB2B5BB8A9.TMP Jump to behavior
Source: MWSW9nxmUK.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: MWSW9nxmUK.exe Virustotal: Detection: 44%
Source: MWSW9nxmUK.exe ReversingLabs: Detection: 42%
Source: MWSW9nxmUK.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Interrup.pdb source: MWSW9nxmUK.exe

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_005B12F5 push edx; ret 0_2_005B1321
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_005B1054 push edx; ret 0_2_005B1081
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_005B2854 push edx; ret 0_2_005B2881
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_005B4054 push edx; ret 0_2_005B4081
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_005B5854 push edx; ret 0_2_005B5881
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_005B7054 push edx; ret 0_2_005B7081
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_005B0843 push edx; ret 0_2_005B0871
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_005B2043 push edx; ret 0_2_005B2071
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_005B3843 push edx; ret 0_2_005B3871
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_005B5043 push edx; ret 0_2_005B5071
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_005B6844 push edx; ret 0_2_005B6871
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_005B0878 push edx; ret 0_2_005B08A1
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_005B6875 push edx; ret 0_2_005B68A1
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_005B2074 push edx; ret 0_2_005B20A1
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_005B3874 push edx; ret 0_2_005B38A1
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_005B5074 push edx; ret 0_2_005B50A1
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_005B0068 push edx; ret 0_2_005B0091
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_005B3063 push edx; ret 0_2_005B3091
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_005B1863 push edx; ret 0_2_005B1891
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_005B4863 push edx; ret 0_2_005B4891
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_005B6065 push edx; ret 0_2_005B6091
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_005B0818 push edx; ret 0_2_005B0841
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_005B3813 push edx; ret 0_2_005B3841
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_005B2013 push edx; ret 0_2_005B2041
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_005B5013 push edx; ret 0_2_005B5041
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_005B6814 push edx; ret 0_2_005B6841
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_005B0008 push edx; ret 0_2_005B0031
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_005B600D push edx; ret 0_2_005B6031
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_005B4803 push edx; ret 0_2_005B4831
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_005B3003 push edx; ret 0_2_005B3031
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_005B1803 push edx; ret 0_2_005B1831
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD27A4 0_2_02BD27A4
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD2379 0_2_02BD2379
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD28A0 0_2_02BD28A0
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD7D3E 0_2_02BD7D3E
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD7503 0_2_02BD7503
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe RDTSC instruction interceptor: First address: 0000000002BD8CAB second address: 0000000002BD8CAB instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov dword ptr [ebp+00000253h], edx 0x00000010 mov edx, 83A23224h 0x00000015 cmp bh, ch 0x00000017 test ah, dh 0x00000019 xor edx, B23AA633h 0x0000001f xor edx, 5BA5550Bh 0x00000025 test ch, 00000068h 0x00000028 sub edx, 6A3DC11Ch 0x0000002e test cx, dx 0x00000031 cmp dword ptr [ebp+00000253h], edx 0x00000037 mov edx, dword ptr [ebp+00000253h] 0x0000003d jne 00007F916C39C188h 0x0000003f dec ebx 0x00000040 xor edx, edx 0x00000042 mov eax, ebx 0x00000044 test si, 634Bh 0x00000049 mov ecx, D06366DFh 0x0000004e test bx, cx 0x00000051 sub ecx, D6A7F971h 0x00000057 cmp ecx, ecx 0x00000059 xor ecx, 335F4321h 0x0000005f sub ecx, CAE42E4Bh 0x00000065 test ebx, edx 0x00000067 div ecx 0x00000069 pushad 0x0000006a rdtsc
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe RDTSC instruction interceptor: First address: 0000000002BD8CAB second address: 0000000002BD8CAB instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov dword ptr [ebp+00000253h], edx 0x00000010 mov edx, 83A23224h 0x00000015 cmp bh, ch 0x00000017 test ah, dh 0x00000019 xor edx, B23AA633h 0x0000001f xor edx, 5BA5550Bh 0x00000025 test ch, 00000068h 0x00000028 sub edx, 6A3DC11Ch 0x0000002e test cx, dx 0x00000031 cmp dword ptr [ebp+00000253h], edx 0x00000037 mov edx, dword ptr [ebp+00000253h] 0x0000003d jne 00007F916C39C188h 0x0000003f dec ebx 0x00000040 xor edx, edx 0x00000042 mov eax, ebx 0x00000044 test si, 634Bh 0x00000049 mov ecx, D06366DFh 0x0000004e test bx, cx 0x00000051 sub ecx, D6A7F971h 0x00000057 cmp ecx, ecx 0x00000059 xor ecx, 335F4321h 0x0000005f sub ecx, CAE42E4Bh 0x00000065 test ebx, edx 0x00000067 div ecx 0x00000069 pushad 0x0000006a rdtsc
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe RDTSC instruction interceptor: First address: 0000000002BD750B second address: 0000000002BD752A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 4E5E24E1h 0x00000007 xor eax, 256A0EB4h 0x0000000c xor eax, 6B41C15Ch 0x00000011 xor eax, 0075EB08h 0x00000016 cpuid 0x00000018 popad 0x00000019 pushad 0x0000001a mov ecx, 000000F8h 0x0000001f rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD92BB rdtsc 0_2_02BD92BB
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD92BB rdtsc 0_2_02BD92BB
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD2EF7 mov eax, dword ptr fs:[00000030h] 0_2_02BD2EF7
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD322C mov eax, dword ptr fs:[00000030h] 0_2_02BD322C
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD3259 mov eax, dword ptr fs:[00000030h] 0_2_02BD3259
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD27A4 mov eax, dword ptr fs:[00000030h] 0_2_02BD27A4
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD6B69 mov eax, dword ptr fs:[00000030h] 0_2_02BD6B69
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD504C mov eax, dword ptr fs:[00000030h] 0_2_02BD504C
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD7D3E mov eax, dword ptr fs:[00000030h] 0_2_02BD7D3E
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD7106 mov eax, dword ptr fs:[00000030h] 0_2_02BD7106
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD7D06 mov eax, dword ptr fs:[00000030h] 0_2_02BD7D06
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: MWSW9nxmUK.exe, 00000000.00000002.737373795.0000000000E40000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: MWSW9nxmUK.exe, 00000000.00000002.737373795.0000000000E40000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: MWSW9nxmUK.exe, 00000000.00000002.737373795.0000000000E40000.00000002.00000001.sdmp Binary or memory string: Progman
Source: MWSW9nxmUK.exe, 00000000.00000002.737373795.0000000000E40000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02BD7337 cpuid 0_2_02BD7337
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 452531 Sample: MWSW9nxmUK Startdate: 22/07/2021 Architecture: WINDOWS Score: 84 8 Found malware configuration 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected GuLoader 2->12 14 C2 URLs / IPs found in malware configuration 2->14 5 MWSW9nxmUK.exe 1 2->5         started        process3 signatures4 16 Contains functionality to detect hardware virtualization (CPUID execution measurement) 5->16 18 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 5->18 20 Found potential dummy code loops (likely to delay analysis) 5->20 22 Tries to detect virtualization through RDTSC time measurements 5->22
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://kinmirai.org/wp-content/bin_inUIdCgQk163.bin true
  • Avira URL Cloud: safe
 unknown