Windows Analysis Report ogvcqbOEQs.exe

Overview

General Information

Sample Name:	ogvcqbOEQs.exe
Analysis ID:	456986
MD5:	f00e0bf11a316d65ab59574825f125bf
SHA1:	a25674d3d8285ad9216e61cfe923bc4b4a0c833a
SHA256:	06b51823317ace5ebfb38121fce872db43c72042d7ef657e3830d46c5572f0c3
Tags:	32exe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

GuLoader behavior detected

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Hides threads from debuggers

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

PE file contains an invalid checksum

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: ogvcqbOEQs.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "http://d-bin.duckdns.org/remcos_dyno_xLTzJv"}

Multi AV Scanner detection for submitted file

Source: ogvcqbOEQs.exe	Virustotal: Detection: 18%			Perma Link
Source: ogvcqbOEQs.exe	ReversingLabs: Detection: 10%

Compliance:

Uses 32bit PE files

Source: ogvcqbOEQs.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://d-bin.duckdns.org/remcos_dyno_xLTzJv

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Process Stats: CPU usage > 98%
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021FA50C NtProtectVirtualMemory,	0_2_021FA50C
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F0F30 NtWriteVirtualMemory,TerminateProcess,	0_2_021F0F30
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F8D7C NtAllocateVirtualMemory,	0_2_021F8D7C
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4B8B NtWriteVirtualMemory,	0_2_021F4B8B
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F543B NtWriteVirtualMemory,	0_2_021F543B
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4E5E NtWriteVirtualMemory,	0_2_021F4E5E
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F507A NtWriteVirtualMemory,	0_2_021F507A
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F8E64 NtAllocateVirtualMemory,	0_2_021F8E64
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F5696 NtWriteVirtualMemory,	0_2_021F5696
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F8EFA NtAllocateVirtualMemory,	0_2_021F8EFA
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F591C NtWriteVirtualMemory,	0_2_021F591C
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F8D0C NtAllocateVirtualMemory,	0_2_021F8D0C
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F530A NtWriteVirtualMemory,	0_2_021F530A
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4D08 NtWriteVirtualMemory,	0_2_021F4D08
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F3331 NtWriteVirtualMemory,	0_2_021F3331
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4F53 NtWriteVirtualMemory,	0_2_021F4F53
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F557A NtWriteVirtualMemory,	0_2_021F557A
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021FA566 NtProtectVirtualMemory,	0_2_021FA566
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F5193 NtWriteVirtualMemory,	0_2_021F5193
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4FAF NtWriteVirtualMemory,	0_2_021F4FAF
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F8DA0 NtAllocateVirtualMemory,	0_2_021F8DA0
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F57DA NtWriteVirtualMemory,	0_2_021F57DA
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4BD2 NtWriteVirtualMemory,	0_2_021F4BD2
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F51C6 NtWriteVirtualMemory,	0_2_021F51C6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C18D0C NtAllocateVirtualMemory,	13_2_00C18D0C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C18EFA NtAllocateVirtualMemory,	13_2_00C18EFA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C18E64 NtAllocateVirtualMemory,	13_2_00C18E64
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C18D81 NtAllocateVirtualMemory,	13_2_00C18D81
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C18DA0 NtAllocateVirtualMemory,	13_2_00C18DA0

Detected potential crypto function

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F06B3	0_2_021F06B3
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F0F30	0_2_021F0F30
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F8D7C	0_2_021F8D7C
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4B8B	0_2_021F4B8B
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021FA9B4	0_2_021FA9B4
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F7DC5	0_2_021F7DC5
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F401A	0_2_021F401A
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4810	0_2_021F4810
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F1610	0_2_021F1610
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F1402	0_2_021F1402
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F543B	0_2_021F543B
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F3432	0_2_021F3432
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F6631	0_2_021F6631
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021FAA30	0_2_021FAA30
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F302C	0_2_021F302C
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021FB026	0_2_021FB026
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4E5E	0_2_021F4E5E
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F2E5C	0_2_021F2E5C
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F0E54	0_2_021F0E54
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F6C42	0_2_021F6C42
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F507A	0_2_021F507A
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F1E71	0_2_021F1E71
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F9A67	0_2_021F9A67
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021FAA98	0_2_021FAA98
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F5696	0_2_021F5696
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F0EBC	0_2_021F0EBC
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F44C7	0_2_021F44C7
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F90F6	0_2_021F90F6
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F40EF	0_2_021F40EF
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F08E6	0_2_021F08E6
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F10E4	0_2_021F10E4
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F12E2	0_2_021F12E2
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F9D1E	0_2_021F9D1E
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F591C	0_2_021F591C
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F2914	0_2_021F2914
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F910C	0_2_021F910C
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F8D0C	0_2_021F8D0C
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F530A	0_2_021F530A
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4D08	0_2_021F4D08
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021FAB06	0_2_021FAB06
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F2104	0_2_021F2104
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F9735	0_2_021F9735
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F3331	0_2_021F3331
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F8927	0_2_021F8927
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F1F22	0_2_021F1F22
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021FAB58	0_2_021FAB58
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F2956	0_2_021F2956
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4F53	0_2_021F4F53
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F5D4B	0_2_021F5D4B
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F1546	0_2_021F1546
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F557A	0_2_021F557A
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F9163	0_2_021F9163
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F2F9A	0_2_021F2F9A
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F5193	0_2_021F5193
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F9984	0_2_021F9984
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4FAF	0_2_021F4FAF
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F33A5	0_2_021F33A5
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F8DA0	0_2_021F8DA0
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F7DDE	0_2_021F7DDE
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F0FDC	0_2_021F0FDC
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F57DA	0_2_021F57DA
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F07D6	0_2_021F07D6
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4BD2	0_2_021F4BD2
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F3FCE	0_2_021F3FCE
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021FA9CB	0_2_021FA9CB
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F11CA	0_2_021F11CA
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F51C6	0_2_021F51C6
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021FABFC	0_2_021FABFC
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F91FA	0_2_021F91FA
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F07E8	0_2_021F07E8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C18D0C	13_2_00C18D0C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C144C7	13_2_00C144C7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C10AD8	13_2_00C10AD8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C140EF	13_2_00C140EF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C190F6	13_2_00C190F6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C12E5C	13_2_00C12E5C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C19A67	13_2_00C19A67
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C11E71	13_2_00C11E71
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C14810	13_2_00C14810
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C1401A	13_2_00C1401A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C14C22	13_2_00C14C22
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C1082A	13_2_00C1082A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C1302C	13_2_00C1302C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C13432	13_2_00C13432
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C17DC5	13_2_00C17DC5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C107D7	13_2_00C107D7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C191FA	13_2_00C191FA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C18D81	13_2_00C18D81
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C19984	13_2_00C19984
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C14B8B	13_2_00C14B8B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C15193	13_2_00C15193
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C12F9A	13_2_00C12F9A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C18DA0	13_2_00C18DA0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C133A5	13_2_00C133A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C14FAF	13_2_00C14FAF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C1A9B4	13_2_00C1A9B4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C12956	13_2_00C12956
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C19163	13_2_00C19163
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C12104	13_2_00C12104
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C1910C	13_2_00C1910C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C12914	13_2_00C12914
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C19D1E	13_2_00C19D1E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C11F22	13_2_00C11F22
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C13331	13_2_00C13331
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C19735	13_2_00C19735

PE file contains strange resources

Source: ogvcqbOEQs.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: ogvcqbOEQs.exe, 00000000.00000002.1311297640.0000000000413000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMSTEAMS vs ogvcqbOEQs.exe
Source: ogvcqbOEQs.exe, 00000000.00000002.1311521878.00000000021E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs ogvcqbOEQs.exe
Source: ogvcqbOEQs.exe	Binary or memory string: OriginalFilenameMSTEAMS vs ogvcqbOEQs.exe

Uses 32bit PE files

Source: ogvcqbOEQs.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/0@0/0

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

File created: C:\Users\user\AppData\Local\Temp\~DF02B58E180701E70C.TMP

Jump to behavior

Source: ogvcqbOEQs.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ogvcqbOEQs.exe	Virustotal: Detection: 18%
Source: ogvcqbOEQs.exe	ReversingLabs: Detection: 10%

Source: unknown	Process created: C:\Users\user\Desktop\ogvcqbOEQs.exe 'C:\Users\user\Desktop\ogvcqbOEQs.exe'
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\ogvcqbOEQs.exe'
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\ogvcqbOEQs.exe'	Jump to behavior

Source: ogvcqbOEQs.exe

Static file information: File size 10571776 > 1048576

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: 0000000D.00000002.1721956987.0000000000C10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1311529373.00000000021F0000.00000040.00000001.sdmp, type: MEMORY

PE file contains an invalid checksum

Source: ogvcqbOEQs.exe

Static PE information: real checksum: 0xa24e1f should be:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_00402A6D push edx; ret	0_2_00402A86
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_00405E39 push es; iretd	0_2_00405E62
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_0040483D push edx; ret	0_2_00404843
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_00405D05 push cs; ret	0_2_00405D9B
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_00404725 push esp; retf	0_2_00404726

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F0F30 NtWriteVirtualMemory,TerminateProcess,	0_2_021F0F30
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4B8B NtWriteVirtualMemory,	0_2_021F4B8B
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F3432	0_2_021F3432
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4E5E NtWriteVirtualMemory,	0_2_021F4E5E
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F507A NtWriteVirtualMemory,	0_2_021F507A
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4D08 NtWriteVirtualMemory,	0_2_021F4D08
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F3331 NtWriteVirtualMemory,	0_2_021F3331
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4F53 NtWriteVirtualMemory,	0_2_021F4F53
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F2B62 LoadLibraryA,	0_2_021F2B62
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4FAF NtWriteVirtualMemory,	0_2_021F4FAF
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F33A5	0_2_021F33A5
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4BD2 NtWriteVirtualMemory,	0_2_021F4BD2
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F69E7	0_2_021F69E7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C14C22	13_2_00C14C22
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C13432	13_2_00C13432
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C169E7	13_2_00C169E7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C14B8B	13_2_00C14B8B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C133A5	13_2_00C133A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C14FAF	13_2_00C14FAF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C12B62	13_2_00C12B62
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C13331	13_2_00C13331

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000021F9289 second address: 00000000021F9289 instructions:
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000021F95D8 second address: 00000000021F95D8 instructions:

Tries to detect Any.run

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: ogvcqbOEQs.exe, 00000000.00000002.1311539557.0000000002200000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLL
Source: ogvcqbOEQs.exe, 00000000.00000002.1311539557.0000000002200000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 000000000040D2BF second address: 000000000040D2BF instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 cmp ecx, 00000092h 0x00000009 popad 0x0000000a pushfd 0x0000000b popfd 0x0000000c nop 0x0000000d dec edi 0x0000000e lfence 0x00000011 cmp eax, 34h 0x00000014 cmp edi, 00000000h 0x00000017 jne 00007F13808AFE30h 0x00000019 nop 0x0000001a lfence 0x0000001d pushad 0x0000001e cmp eax, 7Ch 0x00000021 nop 0x00000022 rdtsc
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000021F032C second address: 00000000021F84FD instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov dword ptr [ebp+0000022Ch], edx 0x00000011 mov edx, 79A9B8F5h 0x00000016 xor edx, A14CDEE8h 0x0000001c xor edx, B4BF7B12h 0x00000022 add edx, 93A5E2F1h 0x00000028 push edx 0x00000029 mov edx, dword ptr [ebp+0000022Ch] 0x0000002f cmp ax, bx 0x00000032 push B6F4F8D9h 0x00000037 cmp ax, cx 0x0000003a push E49F8B3Ch 0x0000003f nop 0x00000040 push 16E1361Ah 0x00000045 push 1E79F54Fh 0x0000004a push 66B6A393h 0x0000004f test dl, al 0x00000051 push 54CCBF9Ah 0x00000056 call 00007F13808B939Ah 0x0000005b jmp 00007F13808B066Ah 0x0000005d cmp ah, dh 0x0000005f test ax, dx 0x00000062 cmp ch, FFFFFFDDh 0x00000065 mov ecx, dword ptr [ebp+1Ch] 0x00000068 mov edx, 129FECA4h 0x0000006d call 00007F13808AF965h 0x00000072 mov dword ptr [ebp+000001A2h], ecx 0x00000078 mov ecx, esi 0x0000007a cmp edx, 5B13C306h 0x00000080 push ecx 0x00000081 mov ecx, dword ptr [ebp+000001A2h] 0x00000087 mov dword ptr [ebp+0000022Eh], eax 0x0000008d mov eax, edx 0x0000008f push eax 0x00000090 cld 0x00000091 mov eax, dword ptr [ebp+0000022Eh] 0x00000097 mov dword ptr [ebp+0000017Fh], ebx 0x0000009d mov ebx, ecx 0x0000009f push ebx 0x000000a0 pushad 0x000000a1 lfence 0x000000a4 rdtsc
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000021F9289 second address: 00000000021F9289 instructions:
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000021F95D8 second address: 00000000021F95D8 instructions:
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000021F9C7B second address: 00000000021F9C7B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp byte ptr [ebx], al 0x0000000d mov eax, dword ptr [ebp+000001D3h] 0x00000013 jne 00007F1380E4CFEEh 0x00000015 push esi 0x00000016 mov esi, 2E377BD6h 0x0000001b cmp esi, 2E377BD6h 0x00000021 jne 00007F1380E43BC7h 0x00000027 pop esi 0x00000028 inc ebx 0x00000029 mov dword ptr [ebp+00000180h], eax 0x0000002f test ebx, ebx 0x00000031 cmp ebx, dword ptr [ebp+00000180h] 0x00000037 je 00007F1380E4D4D5h 0x0000003d mov dword ptr [ebp+000001D3h], eax 0x00000043 test ecx, eax 0x00000045 mov eax, BE50D788h 0x0000004a fnop 0x0000004c xor eax, BF222699h 0x00000051 test bh, dh 0x00000053 test ax, bx 0x00000056 xor eax, 9AD4409Eh 0x0000005b xor eax, 9BA6B137h 0x00000060 pushad 0x00000061 lfence 0x00000064 rdtsc
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000021F6A80 second address: 00000000021F84FD instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov ecx, dword ptr [ebp+1Ch] 0x00000006 mov edx, 12634CFEh 0x0000000b cmp eax, ecx 0x0000000d call 00007F13808B204Eh 0x00000012 mov dword ptr [ebp+000001A2h], ecx 0x00000018 mov ecx, esi 0x0000001a cmp edx, 5B13C306h 0x00000020 push ecx 0x00000021 mov ecx, dword ptr [ebp+000001A2h] 0x00000027 mov dword ptr [ebp+0000022Eh], eax 0x0000002d mov eax, edx 0x0000002f push eax 0x00000030 cld 0x00000031 mov eax, dword ptr [ebp+0000022Eh] 0x00000037 mov dword ptr [ebp+0000017Fh], ebx 0x0000003d mov ebx, ecx 0x0000003f push ebx 0x00000040 pushad 0x00000041 lfence 0x00000044 rdtsc
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000021F6BBE second address: 00000000021F84FD instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b call 00007F1380E4E952h 0x00000010 mov dword ptr [ebp+000001A2h], ecx 0x00000016 mov ecx, esi 0x00000018 cmp edx, 5B13C306h 0x0000001e push ecx 0x0000001f mov ecx, dword ptr [ebp+000001A2h] 0x00000025 mov dword ptr [ebp+0000022Eh], eax 0x0000002b mov eax, edx 0x0000002d push eax 0x0000002e cld 0x0000002f mov eax, dword ptr [ebp+0000022Eh] 0x00000035 mov dword ptr [ebp+0000017Fh], ebx 0x0000003b mov ebx, ecx 0x0000003d push ebx 0x0000003e pushad 0x0000003f lfence 0x00000042 rdtsc
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000021F4C3F second address: 00000000021F4CA3 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 xor dword ptr [esp], 85D5A0CAh 0x0000000a cmp ebx, edx 0x0000000c xor dword ptr [esp], 4638D96Dh 0x00000013 add dword ptr [esp], D41A2919h 0x0000001a cmp al, dl 0x0000001c mov dword ptr [ebp+000001DEh], ecx 0x00000022 mov ecx, D6837C84h 0x00000027 xor ecx, CC419165h 0x0000002d xor ecx, 2B0470FEh 0x00000033 xor ecx, 31C69D1Fh 0x00000039 push ecx 0x0000003a cmp ax, 0000B3B4h 0x0000003e mov ecx, dword ptr [ebp+000001DEh] 0x00000044 test ah, bh 0x00000046 push E0FD18E3h 0x0000004b add dword ptr [esp], 0DF85EB0h 0x00000052 xor dword ptr [esp], 3AC71945h 0x00000059 xor dword ptr [esp], D4326ED6h 0x00000060 pushad 0x00000061 lfence 0x00000064 rdtsc
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000021F4CA3 second address: 00000000021F84FD instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push 1030ACD3h 0x00000010 cmp cx, 41CEh 0x00000015 xor dword ptr [esp], B540BC3Ah 0x0000001c cmp cl, al 0x0000001e xor dword ptr [esp], 660B06BBh 0x00000025 xor dword ptr [esp], C37B1652h 0x0000002c call 00007F1380E51D05h 0x00000031 test dh, ah 0x00000033 mov ecx, dword ptr [ebp+1Ch] 0x00000036 cmp dx, dx 0x00000039 mov edx, AC70FD1Ah 0x0000003e call 00007F1380E4BB8Ah 0x00000043 mov dword ptr [ebp+000001A2h], ecx 0x00000049 mov ecx, esi 0x0000004b cmp edx, 5B13C306h 0x00000051 push ecx 0x00000052 mov ecx, dword ptr [ebp+000001A2h] 0x00000058 mov dword ptr [ebp+0000022Eh], eax 0x0000005e mov eax, edx 0x00000060 push eax 0x00000061 cld 0x00000062 mov eax, dword ptr [ebp+0000022Eh] 0x00000068 mov dword ptr [ebp+0000017Fh], ebx 0x0000006e mov ebx, ecx 0x00000070 push ebx 0x00000071 pushad 0x00000072 lfence 0x00000075 rdtsc
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	RDTSC instruction interceptor: First address: 0000000000C1032C second address: 0000000000C184FD instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov dword ptr [ebp+0000022Ch], edx 0x00000011 mov edx, 79A9B8F5h 0x00000016 xor edx, A14CDEE8h 0x0000001c xor edx, B4BF7B12h 0x00000022 add edx, 93A5E2F1h 0x00000028 push edx 0x00000029 mov edx, dword ptr [ebp+0000022Ch] 0x0000002f cmp ax, bx 0x00000032 push B6F4F8D9h 0x00000037 cmp ax, cx 0x0000003a push E49F8B3Ch 0x0000003f nop 0x00000040 push 16E1361Ah 0x00000045 push 1E79F54Fh 0x0000004a push 66B6A393h 0x0000004f test dl, al 0x00000051 push 54CCBF9Ah 0x00000056 call 00007F13808B939Ah 0x0000005b jmp 00007F13808B066Ah 0x0000005d cmp ah, dh 0x0000005f test ax, dx 0x00000062 cmp ch, FFFFFFDDh 0x00000065 mov ecx, dword ptr [ebp+1Ch] 0x00000068 mov edx, 129FECA4h 0x0000006d call 00007F13808AF965h 0x00000072 mov dword ptr [ebp+000001A2h], ecx 0x00000078 mov ecx, esi 0x0000007a cmp edx, 5B13C306h 0x00000080 push ecx 0x00000081 mov ecx, dword ptr [ebp+000001A2h] 0x00000087 mov dword ptr [ebp+0000022Eh], eax 0x0000008d mov eax, edx 0x0000008f push eax 0x00000090 cld 0x00000091 mov eax, dword ptr [ebp+0000022Eh] 0x00000097 mov dword ptr [ebp+0000017Fh], ebx 0x0000009d mov ebx, ecx 0x0000009f push ebx 0x000000a0 pushad 0x000000a1 lfence 0x000000a4 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Code function: 0_2_021F84CB rdtsc

0_2_021F84CB

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: ogvcqbOEQs.exe, 00000000.00000002.1311539557.0000000002200000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublishershell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dll
Source: ogvcqbOEQs.exe, 00000000.00000002.1311539557.0000000002200000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Process Stats: CPU usage > 90% for more than 60s

Hides threads from debuggers

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Thread information set: HideFromDebugger

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Process queried: DebugPort

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Code function: 0_2_021F84CB rdtsc

0_2_021F84CB

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Code function: 0_2_021F7144 LdrInitializeThunk,

0_2_021F7144

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F401A mov eax, dword ptr fs:[00000030h]	0_2_021F401A
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F8A7E mov eax, dword ptr fs:[00000030h]	0_2_021F8A7E
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F3C84 mov eax, dword ptr fs:[00000030h]	0_2_021F3C84
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F84B2 mov eax, dword ptr fs:[00000030h]	0_2_021F84B2
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F62A9 mov eax, dword ptr fs:[00000030h]	0_2_021F62A9
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F3331 mov eax, dword ptr fs:[00000030h]	0_2_021F3331
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F9984 mov eax, dword ptr fs:[00000030h]	0_2_021F9984
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F3FCE mov eax, dword ptr fs:[00000030h]	0_2_021F3FCE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C13C84 mov eax, dword ptr fs:[00000030h]	13_2_00C13C84
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C162A9 mov eax, dword ptr fs:[00000030h]	13_2_00C162A9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C184B2 mov eax, dword ptr fs:[00000030h]	13_2_00C184B2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C18A7E mov eax, dword ptr fs:[00000030h]	13_2_00C18A7E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C1401A mov eax, dword ptr fs:[00000030h]	13_2_00C1401A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C19984 mov eax, dword ptr fs:[00000030h]	13_2_00C19984
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C13331 mov eax, dword ptr fs:[00000030h]	13_2_00C13331

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: C10000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\ogvcqbOEQs.exe'

Jump to behavior

Source: ieinstal.exe, 0000000D.00000002.1723109058.0000000003630000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: ieinstal.exe, 0000000D.00000002.1723109058.0000000003630000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: ieinstal.exe, 0000000D.00000002.1723109058.0000000003630000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: ieinstal.exe, 0000000D.00000002.1723109058.0000000003630000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Stealing of Sensitive Information:

GuLoader behavior detected

Source: Initial file

Signature Results: GuLoader behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://d-bin.duckdns.org/remcos_dyno_xLTzJv	true	Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: ogvcqbOEQs.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "http://d-bin.duckdns.org/remcos_dyno_xLTzJv"}

Multi AV Scanner detection for submitted file

Source: ogvcqbOEQs.exe	Virustotal: Detection: 18%			Perma Link
Source: ogvcqbOEQs.exe	ReversingLabs: Detection: 10%

Compliance:

Uses 32bit PE files

Source: ogvcqbOEQs.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://d-bin.duckdns.org/remcos_dyno_xLTzJv

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Process Stats: CPU usage > 98%
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021FA50C NtProtectVirtualMemory,	0_2_021FA50C
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F0F30 NtWriteVirtualMemory,TerminateProcess,	0_2_021F0F30
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F8D7C NtAllocateVirtualMemory,	0_2_021F8D7C
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4B8B NtWriteVirtualMemory,	0_2_021F4B8B
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F543B NtWriteVirtualMemory,	0_2_021F543B
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4E5E NtWriteVirtualMemory,	0_2_021F4E5E
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F507A NtWriteVirtualMemory,	0_2_021F507A
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F8E64 NtAllocateVirtualMemory,	0_2_021F8E64
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F5696 NtWriteVirtualMemory,	0_2_021F5696
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F8EFA NtAllocateVirtualMemory,	0_2_021F8EFA
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F591C NtWriteVirtualMemory,	0_2_021F591C
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F8D0C NtAllocateVirtualMemory,	0_2_021F8D0C
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F530A NtWriteVirtualMemory,	0_2_021F530A
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4D08 NtWriteVirtualMemory,	0_2_021F4D08
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F3331 NtWriteVirtualMemory,	0_2_021F3331
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4F53 NtWriteVirtualMemory,	0_2_021F4F53
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F557A NtWriteVirtualMemory,	0_2_021F557A
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021FA566 NtProtectVirtualMemory,	0_2_021FA566
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F5193 NtWriteVirtualMemory,	0_2_021F5193
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4FAF NtWriteVirtualMemory,	0_2_021F4FAF
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F8DA0 NtAllocateVirtualMemory,	0_2_021F8DA0
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F57DA NtWriteVirtualMemory,	0_2_021F57DA
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4BD2 NtWriteVirtualMemory,	0_2_021F4BD2
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F51C6 NtWriteVirtualMemory,	0_2_021F51C6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C18D0C NtAllocateVirtualMemory,	13_2_00C18D0C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C18EFA NtAllocateVirtualMemory,	13_2_00C18EFA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C18E64 NtAllocateVirtualMemory,	13_2_00C18E64
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C18D81 NtAllocateVirtualMemory,	13_2_00C18D81
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C18DA0 NtAllocateVirtualMemory,	13_2_00C18DA0

Detected potential crypto function

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F06B3	0_2_021F06B3
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F0F30	0_2_021F0F30
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F8D7C	0_2_021F8D7C
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4B8B	0_2_021F4B8B
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021FA9B4	0_2_021FA9B4
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F7DC5	0_2_021F7DC5
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F401A	0_2_021F401A
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4810	0_2_021F4810
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F1610	0_2_021F1610
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F1402	0_2_021F1402
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F543B	0_2_021F543B
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F3432	0_2_021F3432
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F6631	0_2_021F6631
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021FAA30	0_2_021FAA30
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F302C	0_2_021F302C
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021FB026	0_2_021FB026
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4E5E	0_2_021F4E5E
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F2E5C	0_2_021F2E5C
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F0E54	0_2_021F0E54
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F6C42	0_2_021F6C42
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F507A	0_2_021F507A
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F1E71	0_2_021F1E71
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F9A67	0_2_021F9A67
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021FAA98	0_2_021FAA98
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F5696	0_2_021F5696
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F0EBC	0_2_021F0EBC
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F44C7	0_2_021F44C7
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F90F6	0_2_021F90F6
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F40EF	0_2_021F40EF
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F08E6	0_2_021F08E6
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F10E4	0_2_021F10E4
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F12E2	0_2_021F12E2
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F9D1E	0_2_021F9D1E
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F591C	0_2_021F591C
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F2914	0_2_021F2914
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F910C	0_2_021F910C
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F8D0C	0_2_021F8D0C
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F530A	0_2_021F530A
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4D08	0_2_021F4D08
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021FAB06	0_2_021FAB06
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F2104	0_2_021F2104
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F9735	0_2_021F9735
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F3331	0_2_021F3331
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F8927	0_2_021F8927
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F1F22	0_2_021F1F22
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021FAB58	0_2_021FAB58
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F2956	0_2_021F2956
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4F53	0_2_021F4F53
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F5D4B	0_2_021F5D4B
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F1546	0_2_021F1546
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F557A	0_2_021F557A
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F9163	0_2_021F9163
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F2F9A	0_2_021F2F9A
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F5193	0_2_021F5193
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F9984	0_2_021F9984
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4FAF	0_2_021F4FAF
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F33A5	0_2_021F33A5
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F8DA0	0_2_021F8DA0
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F7DDE	0_2_021F7DDE
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F0FDC	0_2_021F0FDC
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F57DA	0_2_021F57DA
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F07D6	0_2_021F07D6
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4BD2	0_2_021F4BD2
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F3FCE	0_2_021F3FCE
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021FA9CB	0_2_021FA9CB
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F11CA	0_2_021F11CA
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F51C6	0_2_021F51C6
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021FABFC	0_2_021FABFC
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F91FA	0_2_021F91FA
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F07E8	0_2_021F07E8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C18D0C	13_2_00C18D0C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C144C7	13_2_00C144C7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C10AD8	13_2_00C10AD8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C140EF	13_2_00C140EF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C190F6	13_2_00C190F6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C12E5C	13_2_00C12E5C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C19A67	13_2_00C19A67
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C11E71	13_2_00C11E71
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C14810	13_2_00C14810
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C1401A	13_2_00C1401A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C14C22	13_2_00C14C22
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C1082A	13_2_00C1082A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C1302C	13_2_00C1302C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C13432	13_2_00C13432
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C17DC5	13_2_00C17DC5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C107D7	13_2_00C107D7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C191FA	13_2_00C191FA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C18D81	13_2_00C18D81
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C19984	13_2_00C19984
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C14B8B	13_2_00C14B8B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C15193	13_2_00C15193
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C12F9A	13_2_00C12F9A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C18DA0	13_2_00C18DA0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C133A5	13_2_00C133A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C14FAF	13_2_00C14FAF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C1A9B4	13_2_00C1A9B4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C12956	13_2_00C12956
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C19163	13_2_00C19163
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C12104	13_2_00C12104
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C1910C	13_2_00C1910C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C12914	13_2_00C12914
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C19D1E	13_2_00C19D1E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C11F22	13_2_00C11F22
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C13331	13_2_00C13331
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C19735	13_2_00C19735

PE file contains strange resources

Source: ogvcqbOEQs.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: ogvcqbOEQs.exe, 00000000.00000002.1311297640.0000000000413000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMSTEAMS vs ogvcqbOEQs.exe
Source: ogvcqbOEQs.exe, 00000000.00000002.1311521878.00000000021E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs ogvcqbOEQs.exe
Source: ogvcqbOEQs.exe	Binary or memory string: OriginalFilenameMSTEAMS vs ogvcqbOEQs.exe

Uses 32bit PE files

Source: ogvcqbOEQs.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/0@0/0

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

File created: C:\Users\user\AppData\Local\Temp\~DF02B58E180701E70C.TMP

Jump to behavior

Source: ogvcqbOEQs.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ogvcqbOEQs.exe	Virustotal: Detection: 18%
Source: ogvcqbOEQs.exe	ReversingLabs: Detection: 10%

Source: unknown	Process created: C:\Users\user\Desktop\ogvcqbOEQs.exe 'C:\Users\user\Desktop\ogvcqbOEQs.exe'
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\ogvcqbOEQs.exe'
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\ogvcqbOEQs.exe'	Jump to behavior

Source: ogvcqbOEQs.exe

Static file information: File size 10571776 > 1048576

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: 0000000D.00000002.1721956987.0000000000C10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1311529373.00000000021F0000.00000040.00000001.sdmp, type: MEMORY

PE file contains an invalid checksum

Source: ogvcqbOEQs.exe

Static PE information: real checksum: 0xa24e1f should be:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_00402A6D push edx; ret	0_2_00402A86
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_00405E39 push es; iretd	0_2_00405E62
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_0040483D push edx; ret	0_2_00404843
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_00405D05 push cs; ret	0_2_00405D9B
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_00404725 push esp; retf	0_2_00404726

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F0F30 NtWriteVirtualMemory,TerminateProcess,	0_2_021F0F30
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4B8B NtWriteVirtualMemory,	0_2_021F4B8B
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F3432	0_2_021F3432
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4E5E NtWriteVirtualMemory,	0_2_021F4E5E
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F507A NtWriteVirtualMemory,	0_2_021F507A
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4D08 NtWriteVirtualMemory,	0_2_021F4D08
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F3331 NtWriteVirtualMemory,	0_2_021F3331
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4F53 NtWriteVirtualMemory,	0_2_021F4F53
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F2B62 LoadLibraryA,	0_2_021F2B62
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4FAF NtWriteVirtualMemory,	0_2_021F4FAF
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F33A5	0_2_021F33A5
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4BD2 NtWriteVirtualMemory,	0_2_021F4BD2
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F69E7	0_2_021F69E7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C14C22	13_2_00C14C22
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C13432	13_2_00C13432
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C169E7	13_2_00C169E7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C14B8B	13_2_00C14B8B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C133A5	13_2_00C133A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C14FAF	13_2_00C14FAF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C12B62	13_2_00C12B62
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C13331	13_2_00C13331

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000021F9289 second address: 00000000021F9289 instructions:
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000021F95D8 second address: 00000000021F95D8 instructions:

Tries to detect Any.run

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: ogvcqbOEQs.exe, 00000000.00000002.1311539557.0000000002200000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLL
Source: ogvcqbOEQs.exe, 00000000.00000002.1311539557.0000000002200000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 000000000040D2BF second address: 000000000040D2BF instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 cmp ecx, 00000092h 0x00000009 popad 0x0000000a pushfd 0x0000000b popfd 0x0000000c nop 0x0000000d dec edi 0x0000000e lfence 0x00000011 cmp eax, 34h 0x00000014 cmp edi, 00000000h 0x00000017 jne 00007F13808AFE30h 0x00000019 nop 0x0000001a lfence 0x0000001d pushad 0x0000001e cmp eax, 7Ch 0x00000021 nop 0x00000022 rdtsc
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000021F032C second address: 00000000021F84FD instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov dword ptr [ebp+0000022Ch], edx 0x00000011 mov edx, 79A9B8F5h 0x00000016 xor edx, A14CDEE8h 0x0000001c xor edx, B4BF7B12h 0x00000022 add edx, 93A5E2F1h 0x00000028 push edx 0x00000029 mov edx, dword ptr [ebp+0000022Ch] 0x0000002f cmp ax, bx 0x00000032 push B6F4F8D9h 0x00000037 cmp ax, cx 0x0000003a push E49F8B3Ch 0x0000003f nop 0x00000040 push 16E1361Ah 0x00000045 push 1E79F54Fh 0x0000004a push 66B6A393h 0x0000004f test dl, al 0x00000051 push 54CCBF9Ah 0x00000056 call 00007F13808B939Ah 0x0000005b jmp 00007F13808B066Ah 0x0000005d cmp ah, dh 0x0000005f test ax, dx 0x00000062 cmp ch, FFFFFFDDh 0x00000065 mov ecx, dword ptr [ebp+1Ch] 0x00000068 mov edx, 129FECA4h 0x0000006d call 00007F13808AF965h 0x00000072 mov dword ptr [ebp+000001A2h], ecx 0x00000078 mov ecx, esi 0x0000007a cmp edx, 5B13C306h 0x00000080 push ecx 0x00000081 mov ecx, dword ptr [ebp+000001A2h] 0x00000087 mov dword ptr [ebp+0000022Eh], eax 0x0000008d mov eax, edx 0x0000008f push eax 0x00000090 cld 0x00000091 mov eax, dword ptr [ebp+0000022Eh] 0x00000097 mov dword ptr [ebp+0000017Fh], ebx 0x0000009d mov ebx, ecx 0x0000009f push ebx 0x000000a0 pushad 0x000000a1 lfence 0x000000a4 rdtsc
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000021F9289 second address: 00000000021F9289 instructions:
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000021F95D8 second address: 00000000021F95D8 instructions:
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000021F9C7B second address: 00000000021F9C7B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp byte ptr [ebx], al 0x0000000d mov eax, dword ptr [ebp+000001D3h] 0x00000013 jne 00007F1380E4CFEEh 0x00000015 push esi 0x00000016 mov esi, 2E377BD6h 0x0000001b cmp esi, 2E377BD6h 0x00000021 jne 00007F1380E43BC7h 0x00000027 pop esi 0x00000028 inc ebx 0x00000029 mov dword ptr [ebp+00000180h], eax 0x0000002f test ebx, ebx 0x00000031 cmp ebx, dword ptr [ebp+00000180h] 0x00000037 je 00007F1380E4D4D5h 0x0000003d mov dword ptr [ebp+000001D3h], eax 0x00000043 test ecx, eax 0x00000045 mov eax, BE50D788h 0x0000004a fnop 0x0000004c xor eax, BF222699h 0x00000051 test bh, dh 0x00000053 test ax, bx 0x00000056 xor eax, 9AD4409Eh 0x0000005b xor eax, 9BA6B137h 0x00000060 pushad 0x00000061 lfence 0x00000064 rdtsc
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000021F6A80 second address: 00000000021F84FD instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov ecx, dword ptr [ebp+1Ch] 0x00000006 mov edx, 12634CFEh 0x0000000b cmp eax, ecx 0x0000000d call 00007F13808B204Eh 0x00000012 mov dword ptr [ebp+000001A2h], ecx 0x00000018 mov ecx, esi 0x0000001a cmp edx, 5B13C306h 0x00000020 push ecx 0x00000021 mov ecx, dword ptr [ebp+000001A2h] 0x00000027 mov dword ptr [ebp+0000022Eh], eax 0x0000002d mov eax, edx 0x0000002f push eax 0x00000030 cld 0x00000031 mov eax, dword ptr [ebp+0000022Eh] 0x00000037 mov dword ptr [ebp+0000017Fh], ebx 0x0000003d mov ebx, ecx 0x0000003f push ebx 0x00000040 pushad 0x00000041 lfence 0x00000044 rdtsc
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000021F6BBE second address: 00000000021F84FD instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b call 00007F1380E4E952h 0x00000010 mov dword ptr [ebp+000001A2h], ecx 0x00000016 mov ecx, esi 0x00000018 cmp edx, 5B13C306h 0x0000001e push ecx 0x0000001f mov ecx, dword ptr [ebp+000001A2h] 0x00000025 mov dword ptr [ebp+0000022Eh], eax 0x0000002b mov eax, edx 0x0000002d push eax 0x0000002e cld 0x0000002f mov eax, dword ptr [ebp+0000022Eh] 0x00000035 mov dword ptr [ebp+0000017Fh], ebx 0x0000003b mov ebx, ecx 0x0000003d push ebx 0x0000003e pushad 0x0000003f lfence 0x00000042 rdtsc
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000021F4C3F second address: 00000000021F4CA3 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 xor dword ptr [esp], 85D5A0CAh 0x0000000a cmp ebx, edx 0x0000000c xor dword ptr [esp], 4638D96Dh 0x00000013 add dword ptr [esp], D41A2919h 0x0000001a cmp al, dl 0x0000001c mov dword ptr [ebp+000001DEh], ecx 0x00000022 mov ecx, D6837C84h 0x00000027 xor ecx, CC419165h 0x0000002d xor ecx, 2B0470FEh 0x00000033 xor ecx, 31C69D1Fh 0x00000039 push ecx 0x0000003a cmp ax, 0000B3B4h 0x0000003e mov ecx, dword ptr [ebp+000001DEh] 0x00000044 test ah, bh 0x00000046 push E0FD18E3h 0x0000004b add dword ptr [esp], 0DF85EB0h 0x00000052 xor dword ptr [esp], 3AC71945h 0x00000059 xor dword ptr [esp], D4326ED6h 0x00000060 pushad 0x00000061 lfence 0x00000064 rdtsc
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000021F4CA3 second address: 00000000021F84FD instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push 1030ACD3h 0x00000010 cmp cx, 41CEh 0x00000015 xor dword ptr [esp], B540BC3Ah 0x0000001c cmp cl, al 0x0000001e xor dword ptr [esp], 660B06BBh 0x00000025 xor dword ptr [esp], C37B1652h 0x0000002c call 00007F1380E51D05h 0x00000031 test dh, ah 0x00000033 mov ecx, dword ptr [ebp+1Ch] 0x00000036 cmp dx, dx 0x00000039 mov edx, AC70FD1Ah 0x0000003e call 00007F1380E4BB8Ah 0x00000043 mov dword ptr [ebp+000001A2h], ecx 0x00000049 mov ecx, esi 0x0000004b cmp edx, 5B13C306h 0x00000051 push ecx 0x00000052 mov ecx, dword ptr [ebp+000001A2h] 0x00000058 mov dword ptr [ebp+0000022Eh], eax 0x0000005e mov eax, edx 0x00000060 push eax 0x00000061 cld 0x00000062 mov eax, dword ptr [ebp+0000022Eh] 0x00000068 mov dword ptr [ebp+0000017Fh], ebx 0x0000006e mov ebx, ecx 0x00000070 push ebx 0x00000071 pushad 0x00000072 lfence 0x00000075 rdtsc
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	RDTSC instruction interceptor: First address: 0000000000C1032C second address: 0000000000C184FD instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov dword ptr [ebp+0000022Ch], edx 0x00000011 mov edx, 79A9B8F5h 0x00000016 xor edx, A14CDEE8h 0x0000001c xor edx, B4BF7B12h 0x00000022 add edx, 93A5E2F1h 0x00000028 push edx 0x00000029 mov edx, dword ptr [ebp+0000022Ch] 0x0000002f cmp ax, bx 0x00000032 push B6F4F8D9h 0x00000037 cmp ax, cx 0x0000003a push E49F8B3Ch 0x0000003f nop 0x00000040 push 16E1361Ah 0x00000045 push 1E79F54Fh 0x0000004a push 66B6A393h 0x0000004f test dl, al 0x00000051 push 54CCBF9Ah 0x00000056 call 00007F13808B939Ah 0x0000005b jmp 00007F13808B066Ah 0x0000005d cmp ah, dh 0x0000005f test ax, dx 0x00000062 cmp ch, FFFFFFDDh 0x00000065 mov ecx, dword ptr [ebp+1Ch] 0x00000068 mov edx, 129FECA4h 0x0000006d call 00007F13808AF965h 0x00000072 mov dword ptr [ebp+000001A2h], ecx 0x00000078 mov ecx, esi 0x0000007a cmp edx, 5B13C306h 0x00000080 push ecx 0x00000081 mov ecx, dword ptr [ebp+000001A2h] 0x00000087 mov dword ptr [ebp+0000022Eh], eax 0x0000008d mov eax, edx 0x0000008f push eax 0x00000090 cld 0x00000091 mov eax, dword ptr [ebp+0000022Eh] 0x00000097 mov dword ptr [ebp+0000017Fh], ebx 0x0000009d mov ebx, ecx 0x0000009f push ebx 0x000000a0 pushad 0x000000a1 lfence 0x000000a4 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Code function: 0_2_021F84CB rdtsc

0_2_021F84CB

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: ogvcqbOEQs.exe, 00000000.00000002.1311539557.0000000002200000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublishershell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dll
Source: ogvcqbOEQs.exe, 00000000.00000002.1311539557.0000000002200000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Process Stats: CPU usage > 90% for more than 60s

Hides threads from debuggers

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Thread information set: HideFromDebugger

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Process queried: DebugPort

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Code function: 0_2_021F84CB rdtsc

0_2_021F84CB

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Code function: 0_2_021F7144 LdrInitializeThunk,

0_2_021F7144

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F401A mov eax, dword ptr fs:[00000030h]	0_2_021F401A
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F8A7E mov eax, dword ptr fs:[00000030h]	0_2_021F8A7E
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F3C84 mov eax, dword ptr fs:[00000030h]	0_2_021F3C84
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F84B2 mov eax, dword ptr fs:[00000030h]	0_2_021F84B2
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F62A9 mov eax, dword ptr fs:[00000030h]	0_2_021F62A9
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F3331 mov eax, dword ptr fs:[00000030h]	0_2_021F3331
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F9984 mov eax, dword ptr fs:[00000030h]	0_2_021F9984
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F3FCE mov eax, dword ptr fs:[00000030h]	0_2_021F3FCE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C13C84 mov eax, dword ptr fs:[00000030h]	13_2_00C13C84
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C162A9 mov eax, dword ptr fs:[00000030h]	13_2_00C162A9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C184B2 mov eax, dword ptr fs:[00000030h]	13_2_00C184B2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C18A7E mov eax, dword ptr fs:[00000030h]	13_2_00C18A7E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C1401A mov eax, dword ptr fs:[00000030h]	13_2_00C1401A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C19984 mov eax, dword ptr fs:[00000030h]	13_2_00C19984
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C13331 mov eax, dword ptr fs:[00000030h]	13_2_00C13331

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: C10000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\ogvcqbOEQs.exe'

Jump to behavior

Source: ieinstal.exe, 0000000D.00000002.1723109058.0000000003630000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: ieinstal.exe, 0000000D.00000002.1723109058.0000000003630000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: ieinstal.exe, 0000000D.00000002.1723109058.0000000003630000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: ieinstal.exe, 0000000D.00000002.1723109058.0000000003630000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Stealing of Sensitive Information:

GuLoader behavior detected

Source: Initial file

Signature Results: GuLoader behavior

ID:	456986
Product:	CloudBasic
Start time:	18:03:24
Start date:	30.07.2021
Sample:	ogvcqbOEQs.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	f00e0bf11a316d65ab59574825f125bf
SHA1:	a25674d3d8285ad9216e61cfe923bc4b4a0c833a
SHA256:	06b51823317ace5ebfb38121fce872db43c72042d7ef657e3830d46c5572f0c3
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Windows Analysis Report ogvcqbOEQs.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted URLs