Loading ...

Play interactive tourEdit tour

Windows Analysis Report MWSW9nxmUK

Overview

General Information

Sample Name:MWSW9nxmUK (renamed file extension from none to exe)
Analysis ID:452531
MD5:c937fc9ed4325e6ab24d49a3175f3a5c
SHA1:00439295920e78ecac31d1dbf7eb67118d76299a
SHA256:d54cafc1ca36d0ddd134f53d033ebbaaa490721d62d4168106a9b6c7cfa200ba
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
PE / OLE file has an invalid certificate
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • MWSW9nxmUK.exe (PID: 5060 cmdline: 'C:\Users\user\Desktop\MWSW9nxmUK.exe' MD5: C937FC9ED4325E6AB24D49A3175F3A5C)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://kinmirai.org/wp-content/bin_inUIdCgQk163.bin"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://kinmirai.org/wp-content/bin_inUIdCgQk163.bin"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: MWSW9nxmUK.exeVirustotal: Detection: 44%Perma Link
    Source: MWSW9nxmUK.exeReversingLabs: Detection: 42%
    Source: MWSW9nxmUK.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Interrup.pdb source: MWSW9nxmUK.exe

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://kinmirai.org/wp-content/bin_inUIdCgQk163.bin
    Source: MWSW9nxmUK.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    Source: MWSW9nxmUK.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
    Source: MWSW9nxmUK.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
    Source: MWSW9nxmUK.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
    Source: MWSW9nxmUK.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: MWSW9nxmUK.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
    Source: MWSW9nxmUK.exeString found in binary or memory: http://ocsp.digicert.com0C
    Source: MWSW9nxmUK.exeString found in binary or memory: http://ocsp.digicert.com0O
    Source: MWSW9nxmUK.exeString found in binary or memory: http://www.digicert.com/CPS0
    Source: MWSW9nxmUK.exeString found in binary or memory: https://www.digicert.com/CPS0
    Source: MWSW9nxmUK.exe, 00000000.00000002.737092778.00000000007BA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD543B NtAllocateVirtualMemory,0_2_02BD543B
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD5540 NtAllocateVirtualMemory,0_2_02BD5540
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD543B0_2_02BD543B
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD36840_2_02BD3684
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD3ED80_2_02BD3ED8
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD42C00_2_02BD42C0
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD163B0_2_02BD163B
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD322C0_2_02BD322C
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD22280_2_02BD2228
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD1A210_2_02BD1A21
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD3A180_2_02BD3A18
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD421B0_2_02BD421B
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD1A780_2_02BD1A78
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD3A690_2_02BD3A69
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD32590_2_02BD3259
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD87BC0_2_02BD87BC
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD6FAF0_2_02BD6FAF
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD27A40_2_02BD27A4
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD7BA40_2_02BD7BA4
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD47A20_2_02BD47A2
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD23FF0_2_02BD23FF
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD0BDC0_2_02BD0BDC
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD47C80_2_02BD47C8
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD6B350_2_02BD6B35
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD832E0_2_02BD832E
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD33250_2_02BD3325
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD47120_2_02BD4712
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD770F0_2_02BD770F
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD23790_2_02BD2379
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD6B7B0_2_02BD6B7B
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD475F0_2_02BD475F
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD7F4E0_2_02BD7F4E
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD80A40_2_02BD80A4
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD28A00_2_02BD28A0
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD048D0_2_02BD048D
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD08890_2_02BD0889
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD80EF0_2_02BD80EF
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD48E90_2_02BD48E9
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD38D10_2_02BD38D1
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD80C60_2_02BD80C6
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD0CC30_2_02BD0CC3
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD8C360_2_02BD8C36
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD2C2A0_2_02BD2C2A
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD841E0_2_02BD841E
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD70770_2_02BD7077
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD48600_2_02BD4860
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD24550_2_02BD2455
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD0C540_2_02BD0C54
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD0C4C0_2_02BD0C4C
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD8C420_2_02BD8C42
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD15BD0_2_02BD15BD
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD05B10_2_02BD05B1
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD3D840_2_02BD3D84
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD7D3E0_2_02BD7D3E
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD3D2C0_2_02BD3D2C
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD25180_2_02BD2518
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD09160_2_02BD0916
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD49120_2_02BD4912
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD59080_2_02BD5908
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD41050_2_02BD4105
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD7D060_2_02BD7D06
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD517E0_2_02BD517E
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD01470_2_02BD0147
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD5D430_2_02BD5D43
    Source: MWSW9nxmUK.exeStatic PE information: invalid certificate
    Source: MWSW9nxmUK.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: MWSW9nxmUK.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: MWSW9nxmUK.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: MWSW9nxmUK.exe, 00000000.00000002.735306594.0000000000435000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameInterrup.exe vs MWSW9nxmUK.exe
    Source: MWSW9nxmUK.exeBinary or memory string: OriginalFilenameInterrup.exe vs MWSW9nxmUK.exe
    Source: MWSW9nxmUK.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: classification engineClassification label: mal84.troj.evad.winEXE@1/0@0/0
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeFile created: C:\Users\user\AppData\Local\Temp\~DF9A0B27BB2B5BB8A9.TMPJump to behavior
    Source: MWSW9nxmUK.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: MWSW9nxmUK.exeVirustotal: Detection: 44%
    Source: MWSW9nxmUK.exeReversingLabs: Detection: 42%
    Source: MWSW9nxmUK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Interrup.pdb source: MWSW9nxmUK.exe

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_005B12F5 push edx; ret 0_2_005B1321
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_005B1054 push edx; ret 0_2_005B1081
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_005B2854 push edx; ret 0_2_005B2881
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_005B4054 push edx; ret 0_2_005B4081
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_005B5854 push edx; ret 0_2_005B5881
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_005B7054 push edx; ret 0_2_005B7081
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_005B0843 push edx; ret 0_2_005B0871
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_005B2043 push edx; ret 0_2_005B2071
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_005B3843 push edx; ret 0_2_005B3871
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_005B5043 push edx; ret 0_2_005B5071
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_005B6844 push edx; ret 0_2_005B6871
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_005B0878 push edx; ret 0_2_005B08A1
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_005B6875 push edx; ret 0_2_005B68A1
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_005B2074 push edx; ret 0_2_005B20A1
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_005B3874 push edx; ret 0_2_005B38A1
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_005B5074 push edx; ret 0_2_005B50A1
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_005B0068 push edx; ret 0_2_005B0091
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_005B3063 push edx; ret 0_2_005B3091
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_005B1863 push edx; ret 0_2_005B1891
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_005B4863 push edx; ret 0_2_005B4891
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_005B6065 push edx; ret 0_2_005B6091
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_005B0818 push edx; ret 0_2_005B0841
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_005B3813 push edx; ret 0_2_005B3841
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_005B2013 push edx; ret 0_2_005B2041
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_005B5013 push edx; ret 0_2_005B5041
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_005B6814 push edx; ret 0_2_005B6841
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_005B0008 push edx; ret 0_2_005B0031
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_005B600D push edx; ret 0_2_005B6031
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_005B4803 push edx; ret 0_2_005B4831
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_005B3003 push edx; ret 0_2_005B3031
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_005B1803 push edx; ret 0_2_005B1831
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD27A4 0_2_02BD27A4
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD2379 0_2_02BD2379
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD28A0 0_2_02BD28A0
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD7D3E 0_2_02BD7D3E
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD7503 0_2_02BD7503
    Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeRDTSC instruction interceptor: First address: 0000000002BD8CAB second address: 0000000002BD8CAB instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov dword ptr [ebp+00000253h], edx 0x00000010 mov edx, 83A23224h 0x00000015 cmp bh, ch 0x00000017 test ah, dh 0x00000019 xor edx, B23AA633h 0x0000001f xor edx, 5BA5550Bh 0x00000025 test ch, 00000068h 0x00000028 sub edx, 6A3DC11Ch 0x0000002e test cx, dx 0x00000031 cmp dword ptr [ebp+00000253h], edx 0x00000037 mov edx, dword ptr [ebp+00000253h] 0x0000003d jne 00007F916C39C188h 0x0000003f dec ebx 0x00000040 xor edx, edx 0x00000042 mov eax, ebx 0x00000044 test si, 634Bh 0x00000049 mov ecx, D06366DFh 0x0000004e test bx, cx 0x00000051 sub ecx, D6A7F971h 0x00000057 cmp ecx, ecx 0x00000059 xor ecx, 335F4321h 0x0000005f sub ecx, CAE42E4Bh 0x00000065 test ebx, edx 0x00000067 div ecx 0x00000069 pushad 0x0000006a rdtsc
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeRDTSC instruction interceptor: First address: 0000000002BD8CAB second address: 0000000002BD8CAB instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov dword ptr [ebp+00000253h], edx 0x00000010 mov edx, 83A23224h 0x00000015 cmp bh, ch 0x00000017 test ah, dh 0x00000019 xor edx, B23AA633h 0x0000001f xor edx, 5BA5550Bh 0x00000025 test ch, 00000068h 0x00000028 sub edx, 6A3DC11Ch 0x0000002e test cx, dx 0x00000031 cmp dword ptr [ebp+00000253h], edx 0x00000037 mov edx, dword ptr [ebp+00000253h] 0x0000003d jne 00007F916C39C188h 0x0000003f dec ebx 0x00000040 xor edx, edx 0x00000042 mov eax, ebx 0x00000044 test si, 634Bh 0x00000049 mov ecx, D06366DFh 0x0000004e test bx, cx 0x00000051 sub ecx, D6A7F971h 0x00000057 cmp ecx, ecx 0x00000059 xor ecx, 335F4321h 0x0000005f sub ecx, CAE42E4Bh 0x00000065 test ebx, edx 0x00000067 div ecx 0x00000069 pushad 0x0000006a rdtsc
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeRDTSC instruction interceptor: First address: 0000000002BD750B second address: 0000000002BD752A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 4E5E24E1h 0x00000007 xor eax, 256A0EB4h 0x0000000c xor eax, 6B41C15Ch 0x00000011 xor eax, 0075EB08h 0x00000016 cpuid 0x00000018 popad 0x00000019 pushad 0x0000001a mov ecx, 000000F8h 0x0000001f rdtsc
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD92BB rdtsc 0_2_02BD92BB
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeProcess Stats: CPU usage > 90% for more than 60s
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD92BB rdtsc 0_2_02BD92BB
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD2EF7 mov eax, dword ptr fs:[00000030h]0_2_02BD2EF7
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD322C mov eax, dword ptr fs:[00000030h]0_2_02BD322C
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD3259 mov eax, dword ptr fs:[00000030h]0_2_02BD3259
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD27A4 mov eax, dword ptr fs:[00000030h]0_2_02BD27A4
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD6B69 mov eax, dword ptr fs:[00000030h]0_2_02BD6B69
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD504C mov eax, dword ptr fs:[00000030h]0_2_02BD504C
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD7D3E mov eax, dword ptr fs:[00000030h]0_2_02BD7D3E
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD7106 mov eax, dword ptr fs:[00000030h]0_2_02BD7106
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD7D06 mov eax, dword ptr fs:[00000030h]0_2_02BD7D06
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: MWSW9nxmUK.exe, 00000000.00000002.737373795.0000000000E40000.00000002.00000001.sdmpBinary or memory string: Program Manager
    Source: MWSW9nxmUK.exe, 00000000.00000002.737373795.0000000000E40000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: MWSW9nxmUK.exe, 00000000.00000002.737373795.0000000000E40000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: MWSW9nxmUK.exe, 00000000.00000002.737373795.0000000000E40000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: C:\Users\user\Desktop\MWSW9nxmUK.exeCode function: 0_2_02BD7337 cpuid 0_2_02BD7337

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11Input Capture1Security Software Discovery41Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery311Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.