Windows Analysis Report MWSW9nxmUK.exe

Overview

General Information

Sample Name: MWSW9nxmUK.exe
Analysis ID: 452531
MD5: c937fc9ed4325e6ab24d49a3175f3a5c
SHA1: 00439295920e78ecac31d1dbf7eb67118d76299a
SHA256: d54cafc1ca36d0ddd134f53d033ebbaaa490721d62d4168106a9b6c7cfa200ba
Tags: 32exetrojan
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
PE / OLE file has an invalid certificate
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.1292263867.0000000002F70000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://kinmirai.org/wp-content/bin_inUIdCgQk163.bin"}
Multi AV Scanner detection for submitted file
Source: MWSW9nxmUK.exe Virustotal: Detection: 44% Perma Link
Source: MWSW9nxmUK.exe ReversingLabs: Detection: 42%

Compliance:

barindex
Uses 32bit PE files
Source: MWSW9nxmUK.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Interrup.pdb source: MWSW9nxmUK.exe

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://kinmirai.org/wp-content/bin_inUIdCgQk163.bin
Source: MWSW9nxmUK.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: MWSW9nxmUK.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: MWSW9nxmUK.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: MWSW9nxmUK.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: MWSW9nxmUK.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: MWSW9nxmUK.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: MWSW9nxmUK.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: MWSW9nxmUK.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: MWSW9nxmUK.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: MWSW9nxmUK.exe String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F7543B NtAllocateVirtualMemory, 0_2_02F7543B
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F75540 NtAllocateVirtualMemory, 0_2_02F75540
Detected potential crypto function
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F7543B 0_2_02F7543B
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F780EF 0_2_02F780EF
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F748E9 0_2_02F748E9
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F738D1 0_2_02F738D1
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F73ED8 0_2_02F73ED8
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F780C6 0_2_02F780C6
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F70CC3 0_2_02F70CC3
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F742C0 0_2_02F742C0
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F780A4 0_2_02F780A4
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F728A0 0_2_02F728A0
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F73684 0_2_02F73684
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F7048D 0_2_02F7048D
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F70889 0_2_02F70889
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F77077 0_2_02F77077
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F71A78 0_2_02F71A78
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F74860 0_2_02F74860
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F73A69 0_2_02F73A69
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F72455 0_2_02F72455
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F70C54 0_2_02F70C54
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F73259 0_2_02F73259
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F78C42 0_2_02F78C42
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F70C4C 0_2_02F70C4C
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F78C36 0_2_02F78C36
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F7163B 0_2_02F7163B
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F71A21 0_2_02F71A21
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F7322C 0_2_02F7322C
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F72C2A 0_2_02F72C2A
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F72228 0_2_02F72228
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F7841E 0_2_02F7841E
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F7421B 0_2_02F7421B
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F73A18 0_2_02F73A18
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F723FF 0_2_02F723FF
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F70BDC 0_2_02F70BDC
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F747C8 0_2_02F747C8
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F705B1 0_2_02F705B1
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F715BD 0_2_02F715BD
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F787BC 0_2_02F787BC
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F727A4 0_2_02F727A4
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F77BA4 0_2_02F77BA4
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F747A2 0_2_02F747A2
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F76FAF 0_2_02F76FAF
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F73D84 0_2_02F73D84
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F7517E 0_2_02F7517E
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F76B7B 0_2_02F76B7B
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F72379 0_2_02F72379
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F7475F 0_2_02F7475F
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F70147 0_2_02F70147
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F75D43 0_2_02F75D43
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F77F4E 0_2_02F77F4E
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F76B35 0_2_02F76B35
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F77D3E 0_2_02F77D3E
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F73325 0_2_02F73325
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F7832E 0_2_02F7832E
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F73D2C 0_2_02F73D2C
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F70916 0_2_02F70916
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F74712 0_2_02F74712
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F74912 0_2_02F74912
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F72518 0_2_02F72518
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F77D06 0_2_02F77D06
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F74105 0_2_02F74105
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F7770F 0_2_02F7770F
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F75908 0_2_02F75908
PE / OLE file has an invalid certificate
Source: MWSW9nxmUK.exe Static PE information: invalid certificate
PE file contains strange resources
Source: MWSW9nxmUK.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MWSW9nxmUK.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MWSW9nxmUK.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: MWSW9nxmUK.exe, 00000000.00000002.1287872087.0000000000435000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameInterrup.exe vs MWSW9nxmUK.exe
Source: MWSW9nxmUK.exe Binary or memory string: OriginalFilenameInterrup.exe vs MWSW9nxmUK.exe
Uses 32bit PE files
Source: MWSW9nxmUK.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal84.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe File created: C:\Users\user\AppData\Local\Temp\~DF0F4B240A12FF61B4.TMP Jump to behavior
Source: MWSW9nxmUK.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: MWSW9nxmUK.exe Virustotal: Detection: 44%
Source: MWSW9nxmUK.exe ReversingLabs: Detection: 42%
Source: MWSW9nxmUK.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Interrup.pdb source: MWSW9nxmUK.exe

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.1292263867.0000000002F70000.00000040.00000001.sdmp, type: MEMORY
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F728A0 0_2_02F728A0
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F727A4 0_2_02F727A4
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F72379 0_2_02F72379
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F77D3E 0_2_02F77D3E
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F77503 0_2_02F77503
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe RDTSC instruction interceptor: First address: 0000000002F78CAB second address: 0000000002F78CAB instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov dword ptr [ebp+00000253h], edx 0x00000010 mov edx, 83A23224h 0x00000015 cmp bh, ch 0x00000017 test ah, dh 0x00000019 xor edx, B23AA633h 0x0000001f xor edx, 5BA5550Bh 0x00000025 test ch, 00000068h 0x00000028 sub edx, 6A3DC11Ch 0x0000002e test cx, dx 0x00000031 cmp dword ptr [ebp+00000253h], edx 0x00000037 mov edx, dword ptr [ebp+00000253h] 0x0000003d jne 00007F180C9266B8h 0x0000003f dec ebx 0x00000040 xor edx, edx 0x00000042 mov eax, ebx 0x00000044 test si, 634Bh 0x00000049 mov ecx, D06366DFh 0x0000004e test bx, cx 0x00000051 sub ecx, D6A7F971h 0x00000057 cmp ecx, ecx 0x00000059 xor ecx, 335F4321h 0x0000005f sub ecx, CAE42E4Bh 0x00000065 test ebx, edx 0x00000067 div ecx 0x00000069 pushad 0x0000006a rdtsc
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe RDTSC instruction interceptor: First address: 0000000002F78CAB second address: 0000000002F78CAB instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov dword ptr [ebp+00000253h], edx 0x00000010 mov edx, 83A23224h 0x00000015 cmp bh, ch 0x00000017 test ah, dh 0x00000019 xor edx, B23AA633h 0x0000001f xor edx, 5BA5550Bh 0x00000025 test ch, 00000068h 0x00000028 sub edx, 6A3DC11Ch 0x0000002e test cx, dx 0x00000031 cmp dword ptr [ebp+00000253h], edx 0x00000037 mov edx, dword ptr [ebp+00000253h] 0x0000003d jne 00007F180C9266B8h 0x0000003f dec ebx 0x00000040 xor edx, edx 0x00000042 mov eax, ebx 0x00000044 test si, 634Bh 0x00000049 mov ecx, D06366DFh 0x0000004e test bx, cx 0x00000051 sub ecx, D6A7F971h 0x00000057 cmp ecx, ecx 0x00000059 xor ecx, 335F4321h 0x0000005f sub ecx, CAE42E4Bh 0x00000065 test ebx, edx 0x00000067 div ecx 0x00000069 pushad 0x0000006a rdtsc
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe RDTSC instruction interceptor: First address: 0000000002F7750B second address: 0000000002F7752A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 4E5E24E1h 0x00000007 xor eax, 256A0EB4h 0x0000000c xor eax, 6B41C15Ch 0x00000011 xor eax, 0075EB08h 0x00000016 cpuid 0x00000018 popad 0x00000019 pushad 0x0000001a mov ecx, 000000F8h 0x0000001f rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F72EF7 rdtsc 0_2_02F72EF7
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F72EF7 rdtsc 0_2_02F72EF7
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F72EF7 mov eax, dword ptr fs:[00000030h] 0_2_02F72EF7
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F73259 mov eax, dword ptr fs:[00000030h] 0_2_02F73259
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F7504C mov eax, dword ptr fs:[00000030h] 0_2_02F7504C
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F7322C mov eax, dword ptr fs:[00000030h] 0_2_02F7322C
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F727A4 mov eax, dword ptr fs:[00000030h] 0_2_02F727A4
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F76B69 mov eax, dword ptr fs:[00000030h] 0_2_02F76B69
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F77D3E mov eax, dword ptr fs:[00000030h] 0_2_02F77D3E
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F77106 mov eax, dword ptr fs:[00000030h] 0_2_02F77106
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F77D06 mov eax, dword ptr fs:[00000030h] 0_2_02F77D06
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: MWSW9nxmUK.exe, 00000000.00000002.1288850804.0000000000CC0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: MWSW9nxmUK.exe, 00000000.00000002.1288850804.0000000000CC0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: MWSW9nxmUK.exe, 00000000.00000002.1288850804.0000000000CC0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: MWSW9nxmUK.exe, 00000000.00000002.1288850804.0000000000CC0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe Code function: 0_2_02F77337 cpuid 0_2_02F77337
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 452531 Sample: MWSW9nxmUK.exe Startdate: 22/07/2021 Architecture: WINDOWS Score: 84 8 Found malware configuration 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected GuLoader 2->12 14 C2 URLs / IPs found in malware configuration 2->14 5 MWSW9nxmUK.exe 1 2->5         started        process3 signatures4 16 Contains functionality to detect hardware virtualization (CPUID execution measurement) 5->16 18 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 5->18 20 Found potential dummy code loops (likely to delay analysis) 5->20 22 Tries to detect virtualization through RDTSC time measurements 5->22
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://kinmirai.org/wp-content/bin_inUIdCgQk163.bin true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown