Source: ogvcqbOEQs.exe |
Malware Configuration Extractor: GuLoader {"Payload URL": "http://d-bin.duckdns.org/remcos_dyno_xLTzJv"} |
Source: ogvcqbOEQs.exe |
Virustotal: Detection: 18% |
Perma Link |
Source: ogvcqbOEQs.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: http://d-bin.duckdns.org/remcos_dyno_xLTzJv |
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe |
Code function: 1_2_020A4810 |
1_2_020A4810 |
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe |
Code function: 1_2_020A44C7 |
1_2_020A44C7 |
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe |
Code function: 1_2_020AA9B4 |
1_2_020AA9B4 |
Source: ogvcqbOEQs.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: ogvcqbOEQs.exe, 00000001.00000000.227845225.0000000000413000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameMSTEAMS vs ogvcqbOEQs.exe |
Source: ogvcqbOEQs.exe, 00000001.00000002.751695769.0000000002090000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs ogvcqbOEQs.exe |
Source: ogvcqbOEQs.exe |
Binary or memory string: OriginalFilenameMSTEAMS vs ogvcqbOEQs.exe |
Source: ogvcqbOEQs.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal80.troj.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe |
File created: C:\Users\user\AppData\Local\Temp\~DFA9BE596F96A9332A.TMP |
Jump to behavior |
Source: ogvcqbOEQs.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: ogvcqbOEQs.exe |
Virustotal: Detection: 18% |
Source: ogvcqbOEQs.exe |
Static file information: File size 10571776 > 1048576 |
Source: Yara match |
File source: 00000001.00000002.751704834.00000000020A0000.00000040.00000001.sdmp, type: MEMORY |
Source: ogvcqbOEQs.exe |
Static PE information: real checksum: 0xa24e1f should be: |
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe |
Code function: 1_2_00402A6D push edx; ret |
1_2_00402A86 |
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe |
Code function: 1_2_00405E39 push es; iretd |
1_2_00405E62 |
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe |
Code function: 1_2_0040483D push edx; ret |
1_2_00404843 |
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe |
Code function: 1_2_00405D05 push cs; ret |
1_2_00405D9B |
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe |
Code function: 1_2_00404725 push esp; retf |
1_2_00404726 |
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe |
Code function: 1_2_020A4E38 push BA000001h; ret |
1_2_020A4E45 |
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe |
Code function: 1_2_020A1C9C push eax; ret |
1_2_020A1CB5 |
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe |
Code function: 1_2_020A5CB4 push eax; iretd |
1_2_020A5CB5 |
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe |
Code function: 1_2_020A910C push eax; retf |
1_2_020A910D |
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe |
Code function: 1_2_020A554D push eax; iretd |
1_2_020A554E |
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe |
Code function: 1_2_020A5145 push ecx; ret |
1_2_020A5146 |
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe |
Code function: 1_2_020A5763 push 878BD3C4h; iretd |
1_2_020A5774 |
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe |
Code function: 1_2_020A57D8 push eax; ret |
1_2_020A57D9 |
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe |
Code function: 1_2_020A77EC push eax; ret |
1_2_020A7805 |
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe |
RDTSC instruction interceptor: First address: 00000000020A9289 second address: 00000000020A9289 instructions: |
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe |
RDTSC instruction interceptor: First address: 00000000020A95D8 second address: 00000000020A95D8 instructions: |
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe |
RDTSC instruction interceptor: First address: 000000000040D2BF second address: 000000000040D2BF instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 cmp ecx, 00000092h 0x00000009 popad 0x0000000a pushfd 0x0000000b popfd 0x0000000c nop 0x0000000d dec edi 0x0000000e lfence 0x00000011 cmp eax, 34h 0x00000014 cmp edi, 00000000h 0x00000017 jne 00007F70F03BC520h 0x00000019 nop 0x0000001a lfence 0x0000001d pushad 0x0000001e cmp eax, 7Ch 0x00000021 nop 0x00000022 rdtsc |
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe |
RDTSC instruction interceptor: First address: 00000000020A032C second address: 00000000020A84FD instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov dword ptr [ebp+0000022Ch], edx 0x00000011 mov edx, 79A9B8F5h 0x00000016 xor edx, A14CDEE8h 0x0000001c xor edx, B4BF7B12h 0x00000022 add edx, 93A5E2F1h 0x00000028 push edx 0x00000029 mov edx, dword ptr [ebp+0000022Ch] 0x0000002f cmp ax, bx 0x00000032 push B6F4F8D9h 0x00000037 cmp ax, cx 0x0000003a push E49F8B3Ch 0x0000003f nop 0x00000040 push 16E1361Ah 0x00000045 push 1E79F54Fh 0x0000004a push 66B6A393h 0x0000004f test dl, al 0x00000051 push 54CCBF9Ah 0x00000056 call 00007F70F03BDCFAh 0x0000005b jmp 00007F70F03B4FCAh 0x0000005d cmp ah, dh 0x0000005f test ax, dx 0x00000062 cmp ch, FFFFFFDDh 0x00000065 mov ecx, dword ptr [ebp+1Ch] 0x00000068 mov edx, 129FECA4h 0x0000006d call 00007F70F03B42C5h 0x00000072 mov dword ptr [ebp+000001A2h], ecx 0x00000078 mov ecx, esi 0x0000007a cmp edx, 5B13C306h 0x00000080 push ecx 0x00000081 mov ecx, dword ptr [ebp+000001A2h] 0x00000087 mov dword ptr [ebp+0000022Eh], eax 0x0000008d mov eax, edx 0x0000008f push eax 0x00000090 cld 0x00000091 mov eax, dword ptr [ebp+0000022Eh] 0x00000097 mov dword ptr [ebp+0000017Fh], ebx 0x0000009d mov ebx, ecx 0x0000009f push ebx 0x000000a0 pushad 0x000000a1 lfence 0x000000a4 rdtsc |
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe |
RDTSC instruction interceptor: First address: 00000000020A9289 second address: 00000000020A9289 instructions: |
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe |
RDTSC instruction interceptor: First address: 00000000020A95D8 second address: 00000000020A95D8 instructions: |
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe |
Code function: 1_2_020A84CB rdtsc |
1_2_020A84CB |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe |
Code function: 1_2_020A84CB rdtsc |
1_2_020A84CB |
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe |
Code function: 1_2_020A8A7E mov eax, dword ptr fs:[00000030h] |
1_2_020A8A7E |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: ogvcqbOEQs.exe, 00000001.00000002.751628204.0000000000C40000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: ogvcqbOEQs.exe, 00000001.00000002.751628204.0000000000C40000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: ogvcqbOEQs.exe, 00000001.00000002.751628204.0000000000C40000.00000002.00000001.sdmp |
Binary or memory string: SProgram Managerl |
Source: ogvcqbOEQs.exe, 00000001.00000002.751628204.0000000000C40000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd, |
Source: ogvcqbOEQs.exe, 00000001.00000002.751628204.0000000000C40000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |