{"Payload URL": "https://kinmirai.org/wp-content/bin_NIapfDNXM183.bin"}
Source: 00000000.00000002.747139743.00000000020A0000.00000040.00000001.sdmp | Malware Configuration Extractor: GuLoader {"Payload URL": "https://kinmirai.org/wp-content/bin_NIapfDNXM183.bin"} |
Source: 97bXaukEWl.exe | Virustotal: Detection: 24% | Perma Link |
Source: 97bXaukEWl.exe | ReversingLabs: Detection: 17% |
Source: 97bXaukEWl.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: | Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\bayrerss.pdb source: 97bXaukEWl.exe |
Source: | Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\bayrerss.pdb source: 97bXaukEWl.exe |
Source: Malware configuration extractor | URLs: https://kinmirai.org/wp-content/bin_NIapfDNXM183.bin |
Source: 97bXaukEWl.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: 97bXaukEWl.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
Source: 97bXaukEWl.exe | String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
Source: 97bXaukEWl.exe | String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
Source: 97bXaukEWl.exe | String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: 97bXaukEWl.exe | String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
Source: 97bXaukEWl.exe | String found in binary or memory: http://ocsp.digicert.com0C |
Source: 97bXaukEWl.exe | String found in binary or memory: http://ocsp.digicert.com0O |
Source: 97bXaukEWl.exe | String found in binary or memory: http://www.digicert.com/CPS0 |
Source: 97bXaukEWl.exe | String found in binary or memory: https://www.digicert.com/CPS0 |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A5798 NtAllocateVirtualMemory, |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A5798 |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A7A0B |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A2655 |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A4AAA |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A46B8 |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A9AB9 |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A4ADA |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A433C |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A7B34 |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A8F4F |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A8F5C |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A3BB6 |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A83CF |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A73CC |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A7BDB |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A8FD6 |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A1BF9 |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A1BF7 |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A7C0D |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A7C02 |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A4021 |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A9058 |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A245F |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A4050 |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A2877 |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A489B |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A90D7 |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A4CF4 |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A3D14 |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A792B |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A352B |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A554D |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A796F |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A916F |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A39D7 |
Source: 97bXaukEWl.exe | Static PE information: invalid certificate |
Source: 97bXaukEWl.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: 97bXaukEWl.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: 97bXaukEWl.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: 97bXaukEWl.exe, 00000000.00000000.221378124.0000000000436000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenamebayrerss.exe vs 97bXaukEWl.exe |
Source: 97bXaukEWl.exe, 00000000.00000002.750338858.0000000002960000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenamebayrerss.exeFE2X vs 97bXaukEWl.exe |
Source: 97bXaukEWl.exe | Binary or memory string: OriginalFilenamebayrerss.exe vs 97bXaukEWl.exe |
Source: 97bXaukEWl.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine | Classification label: mal84.troj.evad.winEXE@1/0@0/0 |
Source: 97bXaukEWl.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: 97bXaukEWl.exe | Virustotal: Detection: 24% |
Source: 97bXaukEWl.exe | ReversingLabs: Detection: 17% |
Source: 97bXaukEWl.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: | Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\bayrerss.pdb source: 97bXaukEWl.exe |
Source: | Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\bayrerss.pdb source: 97bXaukEWl.exe |
Source: Yara match | File source: 00000000.00000002.747139743.00000000020A0000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_00421041 push ss; retf |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_00422433 push eax; iretd |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_004200E2 push eax; iretd |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_004210A8 push ebx; retf |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_00421D79 pushfd ; iretd |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_00405D8C push eax; retf |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_004223E5 push eax; iretd |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A2F61 push esi; ret |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A8391 push edx; ret |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A83B8 push edx; ret |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A0FFD push ebx; iretd |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A540E pushad ; retf |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A5798 NtAllocateVirtualMemory, |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A3714 |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A433C |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A3BB6 |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A73CC |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A245F |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A4050 |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A352B |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | RDTSC instruction interceptor: First address: 00000000020A6EEA second address: 00000000020A73F6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add eax, FF6DF465h 0x0000000f add eax, 051D0E23h 0x00000014 cmp ch, FFFFFF9Bh 0x00000017 add eax, BB406732h 0x0000001c push ss 0x0000001d pop ss 0x0000001e jmp 00007F7BD0B3E4A3h 0x00000020 cmp dword ptr [ebp+0000024Eh], eax 0x00000026 mov eax, dword ptr [ebp+0000024Eh] 0x0000002c jne 00007F7BD0B3E548h 0x00000032 pushad 0x00000033 mov bl, 77h 0x00000035 cmp bl, 00000077h 0x00000038 jne 00007F7BD0B40B02h 0x0000003e popad 0x0000003f push 7DDA0CB7h 0x00000044 call 00007F7BD0B3E8FAh 0x00000049 mov eax, dword ptr fs:[00000030h] 0x0000004f mov eax, dword ptr [eax+0Ch] 0x00000052 test cx, ax 0x00000055 mov eax, dword ptr [eax+14h] 0x00000058 mov ecx, dword ptr [eax] 0x0000005a pushad 0x0000005b mov bx, 12CFh 0x0000005f cmp bx, 12CFh 0x00000064 jne 00007F7BD0B376F3h 0x0000006a popad 0x0000006b mov eax, ecx 0x0000006d cmp dh, ah 0x0000006f jmp 00007F7BD0B3E4A6h 0x00000071 test bh, bh 0x00000073 mov ebx, dword ptr [eax+28h] 0x00000076 test bl, dl 0x00000078 mov dword ptr [ebp+00000238h], edx 0x0000007e pushad 0x0000007f lfence 0x00000082 rdtsc |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | RDTSC instruction interceptor: First address: 00000000020A92DD second address: 00000000020A92DD instructions: |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | RDTSC instruction interceptor: First address: 00000000020A6EEA second address: 00000000020A73F6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add eax, FF6DF465h 0x0000000f add eax, 051D0E23h 0x00000014 cmp ch, FFFFFF9Bh 0x00000017 add eax, BB406732h 0x0000001c push ss 0x0000001d pop ss 0x0000001e jmp 00007F7BD0B3E4A3h 0x00000020 cmp dword ptr [ebp+0000024Eh], eax 0x00000026 mov eax, dword ptr [ebp+0000024Eh] 0x0000002c jne 00007F7BD0B3E548h 0x00000032 pushad 0x00000033 mov bl, 77h 0x00000035 cmp bl, 00000077h 0x00000038 jne 00007F7BD0B40B02h 0x0000003e popad 0x0000003f push 7DDA0CB7h 0x00000044 call 00007F7BD0B3E8FAh 0x00000049 mov eax, dword ptr fs:[00000030h] 0x0000004f mov eax, dword ptr [eax+0Ch] 0x00000052 test cx, ax 0x00000055 mov eax, dword ptr [eax+14h] 0x00000058 mov ecx, dword ptr [eax] 0x0000005a pushad 0x0000005b mov bx, 12CFh 0x0000005f cmp bx, 12CFh 0x00000064 jne 00007F7BD0B376F3h 0x0000006a popad 0x0000006b mov eax, ecx 0x0000006d cmp dh, ah 0x0000006f jmp 00007F7BD0B3E4A6h 0x00000071 test bh, bh 0x00000073 mov ebx, dword ptr [eax+28h] 0x00000076 test bl, dl 0x00000078 mov dword ptr [ebp+00000238h], edx 0x0000007e pushad 0x0000007f lfence 0x00000082 rdtsc |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | RDTSC instruction interceptor: First address: 00000000020A73F6 second address: 00000000020A74C0 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov edx, 2A63ED14h 0x00000010 cmp ax, dx 0x00000013 xor edx, 8CD6B9A0h 0x00000019 xor edx, 8DA3C863h 0x0000001f cmp eax, ecx 0x00000021 sub edx, 2B169CD7h 0x00000027 test ebx, E044EBDBh 0x0000002d cmp ebx, edx 0x0000002f mov edx, dword ptr [ebp+00000238h] 0x00000035 je 00007F7BD0AEA8D8h 0x0000003b fnop 0x0000003d mov dword ptr [ebp+00000222h], eax 0x00000043 pushad 0x00000044 mov bh, 9Ah 0x00000046 cmp bh, FFFFFF9Ah 0x00000049 jne 00007F7BD0AE7432h 0x0000004f popad 0x00000050 mov eax, ebx 0x00000052 push eax 0x00000053 mov eax, dword ptr [ebp+00000222h] 0x00000059 test dl, 0000005Ah 0x0000005c cmp cx, dx 0x0000005f call 00007F7BD0AEA8B7h 0x00000064 pushad 0x00000065 lfence 0x00000068 rdtsc |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | RDTSC instruction interceptor: First address: 00000000020A58DE second address: 00000000020A593B instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 sub dword ptr [esp], F2A63F26h 0x0000000a test bx, ax 0x0000000d xor dword ptr [esp], 1168D9BEh 0x00000014 mov dword ptr [ebp+00000148h], 00000000h 0x0000001e add ebx, 04h 0x00000021 mov dword ptr [ebp+0000018Bh], esi 0x00000027 mov esi, ebx 0x00000029 push esi 0x0000002a mov esi, dword ptr [ebp+0000018Bh] 0x00000030 cmp ch, dh 0x00000032 mov dword ptr [ebp+000001E4h], ecx 0x00000038 mov ecx, 785B2C8Ch 0x0000003d test ebx, eax 0x0000003f test bx, bx 0x00000042 xor ecx, C683D913h 0x00000048 cmp dl, 00000035h 0x0000004b add ecx, 3D510807h 0x00000051 sub ecx, FC29FDA7h 0x00000057 pushad 0x00000058 mov esi, 00000084h 0x0000005d rdtsc |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | RDTSC instruction interceptor: First address: 00000000020A92DD second address: 00000000020A92DD instructions: |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A5798 rdtsc |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A5798 rdtsc |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A6E4F mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\97bXaukEWl.exe | Code function: 0_2_020A352B mov eax, dword ptr fs:[00000030h] |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: 97bXaukEWl.exe, 00000000.00000002.746784171.0000000000C60000.00000002.00000001.sdmp | Binary or memory string: Program Manager |
Source: 97bXaukEWl.exe, 00000000.00000002.746784171.0000000000C60000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: 97bXaukEWl.exe, 00000000.00000002.746784171.0000000000C60000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: 97bXaukEWl.exe, 00000000.00000002.746784171.0000000000C60000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.