Windows Analysis Report 97bXaukEWl.exe

Overview

General Information

Sample Name: 97bXaukEWl.exe
Analysis ID: 457852
MD5: 9318cd06a9a0b788dc043a63c97d4fce
SHA1: a296ea3e1cf6d41f9d059d7d6e5058882b03161a
SHA256: 7ad18b09938d40e8ec342ee6bee6b190a986ffedce7567a638b8d25b4098cb69
Tags: exeGuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
GuLoader behavior detected
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Hides threads from debuggers
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
PE / OLE file has an invalid certificate
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.977918776.00000000021F0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://kinmirai.org/wp-content/bin_NIapfDNXM183.bin"}
Multi AV Scanner detection for submitted file
Source: 97bXaukEWl.exe Virustotal: Detection: 24% Perma Link
Source: 97bXaukEWl.exe ReversingLabs: Detection: 17%

Compliance:

barindex
Uses 32bit PE files
Source: 97bXaukEWl.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\bayrerss.pdb source: 97bXaukEWl.exe
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\bayrerss.pdb source: 97bXaukEWl.exe

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://kinmirai.org/wp-content/bin_NIapfDNXM183.bin
Source: 97bXaukEWl.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 97bXaukEWl.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 97bXaukEWl.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 97bXaukEWl.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 97bXaukEWl.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 97bXaukEWl.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 97bXaukEWl.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: 97bXaukEWl.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: 97bXaukEWl.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: 97bXaukEWl.exe String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\97bXaukEWl.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F8A72 NtProtectVirtualMemory, 0_2_021F8A72
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F1EDB NtWriteVirtualMemory,LoadLibraryA, 0_2_021F1EDB
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F8F4F NtSetContextThread, 0_2_021F8F4F
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F578B NtAllocateVirtualMemory, 0_2_021F578B
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F0B81 NtWriteVirtualMemory,TerminateProcess,LoadLibraryA, 0_2_021F0B81
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F04E5 EnumWindows,NtWriteVirtualMemory,LoadLibraryA, 0_2_021F04E5
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F4E0A NtWriteVirtualMemory, 0_2_021F4E0A
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F927E NtSetContextThread, 0_2_021F927E
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F46B8 NtWriteVirtualMemory, 0_2_021F46B8
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F4AAA NtWriteVirtualMemory, 0_2_021F4AAA
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F4ADA NtWriteVirtualMemory, 0_2_021F4ADA
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F433C NtWriteVirtualMemory, 0_2_021F433C
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F8F5C NtSetContextThread, 0_2_021F8F5C
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F3BB6 NtWriteVirtualMemory, 0_2_021F3BB6
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F8FB4 NtSetContextThread, 0_2_021F8FB4
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F73A9 NtWriteVirtualMemory, 0_2_021F73A9
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F8FD6 NtSetContextThread, 0_2_021F8FD6
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F245F NtWriteVirtualMemory, 0_2_021F245F
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F9058 NtSetContextThread, 0_2_021F9058
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F4050 NtWriteVirtualMemory, 0_2_021F4050
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F489B NtWriteVirtualMemory, 0_2_021F489B
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F0495 NtWriteVirtualMemory, 0_2_021F0495
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F90D7 NtSetContextThread, 0_2_021F90D7
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F4CF4 NtWriteVirtualMemory, 0_2_021F4CF4
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F916F NtSetContextThread, 0_2_021F916F
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_00565798 NtAllocateVirtualMemory, 16_2_00565798
Detected potential crypto function
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F7EA7 0_2_021F7EA7
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F1EDB 0_2_021F1EDB
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F8F4F 0_2_021F8F4F
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F578B 0_2_021F578B
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F0B81 0_2_021F0B81
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F04E5 0_2_021F04E5
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F7E1F 0_2_021F7E1F
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F0E0C 0_2_021F0E0C
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F7A0B 0_2_021F7A0B
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F2655 0_2_021F2655
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F2A4A 0_2_021F2A4A
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F2A75 0_2_021F2A75
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F9AB9 0_2_021F9AB9
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F46B8 0_2_021F46B8
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F4AAA 0_2_021F4AAA
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F4ADA 0_2_021F4ADA
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F433C 0_2_021F433C
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F7B34 0_2_021F7B34
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F8F5C 0_2_021F8F5C
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F0F4A 0_2_021F0F4A
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F5B9B 0_2_021F5B9B
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F3BB6 0_2_021F3BB6
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F8FB4 0_2_021F8FB4
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F0FAC 0_2_021F0FAC
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F73A9 0_2_021F73A9
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F7BDB 0_2_021F7BDB
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F8FD6 0_2_021F8FD6
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F83CF 0_2_021F83CF
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F1BF9 0_2_021F1BF9
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F1BF7 0_2_021F1BF7
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F7C0D 0_2_021F7C0D
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F2C04 0_2_021F2C04
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F5403 0_2_021F5403
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F7C02 0_2_021F7C02
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F8029 0_2_021F8029
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F245F 0_2_021F245F
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F9058 0_2_021F9058
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F4050 0_2_021F4050
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F0C4E 0_2_021F0C4E
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F2877 0_2_021F2877
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F8874 0_2_021F8874
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F489B 0_2_021F489B
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F0495 0_2_021F0495
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F90D7 0_2_021F90D7
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F0CC2 0_2_021F0CC2
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F4CF4 0_2_021F4CF4
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F88F1 0_2_021F88F1
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F3D14 0_2_021F3D14
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F352B 0_2_021F352B
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F792B 0_2_021F792B
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F7528 0_2_021F7528
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F7922 0_2_021F7922
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F8921 0_2_021F8921
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F554D 0_2_021F554D
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F796F 0_2_021F796F
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F916F 0_2_021F916F
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F8166 0_2_021F8166
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F81B4 0_2_021F81B4
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F39D7 0_2_021F39D7
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F85F3 0_2_021F85F3
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_00565798 16_2_00565798
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_00564050 16_2_00564050
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_0056245F 16_2_0056245F
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_00569058 16_2_00569058
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_00562877 16_2_00562877
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_00567C02 16_2_00567C02
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_00567C0D 16_2_00567C0D
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_00564021 16_2_00564021
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_005690D7 16_2_005690D7
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_00564CF4 16_2_00564CF4
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_0056489B 16_2_0056489B
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_0056554D 16_2_0056554D
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_0056796F 16_2_0056796F
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_0056916F 16_2_0056916F
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_00563D14 16_2_00563D14
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_0056792B 16_2_0056792B
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_0056352B 16_2_0056352B
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_005639D7 16_2_005639D7
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_00562655 16_2_00562655
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_00567A0B 16_2_00567A0B
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_00564ADA 16_2_00564ADA
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_005646B8 16_2_005646B8
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_00569AB9 16_2_00569AB9
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_00564AAA 16_2_00564AAA
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_00568F5C 16_2_00568F5C
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_00568F4F 16_2_00568F4F
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_00567B34 16_2_00567B34
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_0056433C 16_2_0056433C
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_00568FD6 16_2_00568FD6
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_00567BDB 16_2_00567BDB
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_005683CF 16_2_005683CF
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_005673CC 16_2_005673CC
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_00561BF7 16_2_00561BF7
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_00561BF9 16_2_00561BF9
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_00563BB6 16_2_00563BB6
PE / OLE file has an invalid certificate
Source: 97bXaukEWl.exe Static PE information: invalid certificate
PE file contains strange resources
Source: 97bXaukEWl.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 97bXaukEWl.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 97bXaukEWl.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: 97bXaukEWl.exe, 00000000.00000002.980269205.00000000029E0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamebayrerss.exeFE2X vs 97bXaukEWl.exe
Source: 97bXaukEWl.exe, 00000000.00000000.643884583.0000000000436000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamebayrerss.exe vs 97bXaukEWl.exe
Source: 97bXaukEWl.exe, 00000010.00000000.977016207.0000000000436000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamebayrerss.exe vs 97bXaukEWl.exe
Source: 97bXaukEWl.exe Binary or memory string: OriginalFilenamebayrerss.exe vs 97bXaukEWl.exe
Uses 32bit PE files
Source: 97bXaukEWl.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal100.troj.evad.winEXE@3/0@0/0
Source: 97bXaukEWl.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\97bXaukEWl.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\97bXaukEWl.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 97bXaukEWl.exe Virustotal: Detection: 24%
Source: 97bXaukEWl.exe ReversingLabs: Detection: 17%
Source: unknown Process created: C:\Users\user\Desktop\97bXaukEWl.exe 'C:\Users\user\Desktop\97bXaukEWl.exe'
Source: C:\Users\user\Desktop\97bXaukEWl.exe Process created: C:\Users\user\Desktop\97bXaukEWl.exe 'C:\Users\user\Desktop\97bXaukEWl.exe'
Source: C:\Users\user\Desktop\97bXaukEWl.exe Process created: C:\Users\user\Desktop\97bXaukEWl.exe 'C:\Users\user\Desktop\97bXaukEWl.exe' Jump to behavior
Source: 97bXaukEWl.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\bayrerss.pdb source: 97bXaukEWl.exe
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\bayrerss.pdb source: 97bXaukEWl.exe

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.977918776.00000000021F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1723282507.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_00421041 push ss; retf 0_2_00421042
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_00422433 push eax; iretd 0_2_004224A1
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_004200E2 push eax; iretd 0_2_004200E5
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_004210A8 push ebx; retf 0_2_004210AE
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_00421D79 pushfd ; iretd 0_2_00421D97
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_00405D8C push eax; retf 0_2_00405DC6
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_004223E5 push eax; iretd 0_2_004224A1
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F8391 push edx; ret 0_2_021F8392
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F83B8 push edx; ret 0_2_021F83B9
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_0056540E pushad ; retf 16_2_00565419
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_00562F61 push esi; ret 16_2_00562F63
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_00560FFD push ebx; iretd 16_2_0056100C
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_00568391 push edx; ret 16_2_00568392
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_005683B8 push edx; ret 16_2_005683B9
Source: C:\Users\user\Desktop\97bXaukEWl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\97bXaukEWl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\97bXaukEWl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\97bXaukEWl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\97bXaukEWl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\97bXaukEWl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\97bXaukEWl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F1EDB NtWriteVirtualMemory,LoadLibraryA, 0_2_021F1EDB
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F0B81 NtWriteVirtualMemory,TerminateProcess,LoadLibraryA, 0_2_021F0B81
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F04E5 EnumWindows,NtWriteVirtualMemory,LoadLibraryA, 0_2_021F04E5
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F7E1F 0_2_021F7E1F
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F2A4A 0_2_021F2A4A
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F3296 0_2_021F3296
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F3714 0_2_021F3714
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F433C NtWriteVirtualMemory, 0_2_021F433C
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F5B9B 0_2_021F5B9B
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F3BB6 NtWriteVirtualMemory, 0_2_021F3BB6
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F73A9 NtWriteVirtualMemory, 0_2_021F73A9
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F33E0 0_2_021F33E0
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F8029 0_2_021F8029
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F245F NtWriteVirtualMemory, 0_2_021F245F
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F4050 NtWriteVirtualMemory, 0_2_021F4050
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F0495 NtWriteVirtualMemory, 0_2_021F0495
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F352B LoadLibraryA, 0_2_021F352B
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F8166 0_2_021F8166
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F81B4 0_2_021F81B4
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_00565798 NtAllocateVirtualMemory, 16_2_00565798
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_00564050 16_2_00564050
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_0056245F 16_2_0056245F
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_0056352B 16_2_0056352B
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_00563714 16_2_00563714
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_0056433C 16_2_0056433C
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_005673CC 16_2_005673CC
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_00563BB6 16_2_00563BB6
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\97bXaukEWl.exe RDTSC instruction interceptor: First address: 00000000021F6EEA second address: 00000000021F73F6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add eax, FF6DF465h 0x0000000f add eax, 051D0E23h 0x00000014 cmp ch, FFFFFF9Bh 0x00000017 add eax, BB406732h 0x0000001c push ss 0x0000001d pop ss 0x0000001e jmp 00007F5D4C976313h 0x00000020 cmp dword ptr [ebp+0000024Eh], eax 0x00000026 mov eax, dword ptr [ebp+0000024Eh] 0x0000002c jne 00007F5D4C9763B8h 0x00000032 pushad 0x00000033 mov bl, 77h 0x00000035 cmp bl, 00000077h 0x00000038 jne 00007F5D4C978972h 0x0000003e popad 0x0000003f push 7DDA0CB7h 0x00000044 call 00007F5D4C97676Ah 0x00000049 mov eax, dword ptr fs:[00000030h] 0x0000004f mov eax, dword ptr [eax+0Ch] 0x00000052 test cx, ax 0x00000055 mov eax, dword ptr [eax+14h] 0x00000058 mov ecx, dword ptr [eax] 0x0000005a pushad 0x0000005b mov bx, 12CFh 0x0000005f cmp bx, 12CFh 0x00000064 jne 00007F5D4C96F563h 0x0000006a popad 0x0000006b mov eax, ecx 0x0000006d cmp dh, ah 0x0000006f jmp 00007F5D4C976316h 0x00000071 test bh, bh 0x00000073 mov ebx, dword ptr [eax+28h] 0x00000076 test bl, dl 0x00000078 mov dword ptr [ebp+00000238h], edx 0x0000007e pushad 0x0000007f lfence 0x00000082 rdtsc
Source: C:\Users\user\Desktop\97bXaukEWl.exe RDTSC instruction interceptor: First address: 00000000021F92DD second address: 00000000021F92DD instructions:
Source: C:\Users\user\Desktop\97bXaukEWl.exe RDTSC instruction interceptor: First address: 00000000021F031E second address: 00000000021F0397 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add dword ptr [esp], DD0EB426h 0x00000011 xor dword ptr [esp], A2789713h 0x00000018 cmp bx, dx 0x0000001b sub dword ptr [esp], 57D82723h 0x00000022 cmp dl, bl 0x00000024 push dword ptr [ebp+24h] 0x00000027 push B41326CDh 0x0000002c add dword ptr [esp], 5BFCB3E1h 0x00000033 xor dword ptr [esp], 23E80C5Ch 0x0000003a cmp dx, dx 0x0000003d xor dword ptr [esp], 33E7D6F2h 0x00000044 test eax, AA1C1C90h 0x00000049 test edi, C711A858h 0x0000004f mov dword ptr [ebp+0000022Ch], edi 0x00000055 cmp cx, cx 0x00000058 mov edi, 3881A7FFh 0x0000005d nop 0x0000005e sub edi, 3134FF81h 0x00000064 xor edi, E289D110h 0x0000006a add edi, 1A3A8692h 0x00000070 test dl, al 0x00000072 push edi 0x00000073 pushad 0x00000074 mov edi, 00000083h 0x00000079 rdtsc
Source: C:\Users\user\Desktop\97bXaukEWl.exe RDTSC instruction interceptor: First address: 00000000021F54F3 second address: 00000000021F54F3 instructions:
Source: C:\Users\user\Desktop\97bXaukEWl.exe RDTSC instruction interceptor: First address: 00000000021F431B second address: 00000000021F431B instructions:
Source: C:\Users\user\Desktop\97bXaukEWl.exe RDTSC instruction interceptor: First address: 00000000021F4503 second address: 00000000021F453E instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor dword ptr [edi-04h], A6386E0Bh 0x00000011 xor dword ptr [edi-04h], B9D6F6F7h 0x00000018 cmp cx, ax 0x0000001b add dword ptr [edi-04h], 7462BF15h 0x00000022 test cx, cx 0x00000025 sub edi, 08h 0x00000028 mov dword ptr [ebp+00000273h], ebx 0x0000002e cmp dx, BBD8h 0x00000033 mov ebx, edi 0x00000035 pushad 0x00000036 mov esi, 00000075h 0x0000003b rdtsc
Tries to detect Any.run
Source: C:\Users\user\Desktop\97bXaukEWl.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\97bXaukEWl.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 97bXaukEWl.exe, 00000000.00000002.977929920.0000000002200000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: 97bXaukEWl.exe, 00000000.00000002.977929920.0000000002200000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\97bXaukEWl.exe RDTSC instruction interceptor: First address: 00000000021F6EEA second address: 00000000021F73F6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add eax, FF6DF465h 0x0000000f add eax, 051D0E23h 0x00000014 cmp ch, FFFFFF9Bh 0x00000017 add eax, BB406732h 0x0000001c push ss 0x0000001d pop ss 0x0000001e jmp 00007F5D4C976313h 0x00000020 cmp dword ptr [ebp+0000024Eh], eax 0x00000026 mov eax, dword ptr [ebp+0000024Eh] 0x0000002c jne 00007F5D4C9763B8h 0x00000032 pushad 0x00000033 mov bl, 77h 0x00000035 cmp bl, 00000077h 0x00000038 jne 00007F5D4C978972h 0x0000003e popad 0x0000003f push 7DDA0CB7h 0x00000044 call 00007F5D4C97676Ah 0x00000049 mov eax, dword ptr fs:[00000030h] 0x0000004f mov eax, dword ptr [eax+0Ch] 0x00000052 test cx, ax 0x00000055 mov eax, dword ptr [eax+14h] 0x00000058 mov ecx, dword ptr [eax] 0x0000005a pushad 0x0000005b mov bx, 12CFh 0x0000005f cmp bx, 12CFh 0x00000064 jne 00007F5D4C96F563h 0x0000006a popad 0x0000006b mov eax, ecx 0x0000006d cmp dh, ah 0x0000006f jmp 00007F5D4C976316h 0x00000071 test bh, bh 0x00000073 mov ebx, dword ptr [eax+28h] 0x00000076 test bl, dl 0x00000078 mov dword ptr [ebp+00000238h], edx 0x0000007e pushad 0x0000007f lfence 0x00000082 rdtsc
Source: C:\Users\user\Desktop\97bXaukEWl.exe RDTSC instruction interceptor: First address: 00000000021F73F6 second address: 00000000021F74C0 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov edx, 2A63ED14h 0x00000010 cmp ax, dx 0x00000013 xor edx, 8CD6B9A0h 0x00000019 xor edx, 8DA3C863h 0x0000001f cmp eax, ecx 0x00000021 sub edx, 2B169CD7h 0x00000027 test ebx, E044EBDBh 0x0000002d cmp ebx, edx 0x0000002f mov edx, dword ptr [ebp+00000238h] 0x00000035 je 00007F5D4C979AC8h 0x0000003b fnop 0x0000003d mov dword ptr [ebp+00000222h], eax 0x00000043 pushad 0x00000044 mov bh, 9Ah 0x00000046 cmp bh, FFFFFF9Ah 0x00000049 jne 00007F5D4C976622h 0x0000004f popad 0x00000050 mov eax, ebx 0x00000052 push eax 0x00000053 mov eax, dword ptr [ebp+00000222h] 0x00000059 test dl, 0000005Ah 0x0000005c cmp cx, dx 0x0000005f call 00007F5D4C979AA7h 0x00000064 pushad 0x00000065 lfence 0x00000068 rdtsc
Source: C:\Users\user\Desktop\97bXaukEWl.exe RDTSC instruction interceptor: First address: 00000000021F58DE second address: 00000000021F593B instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 sub dword ptr [esp], F2A63F26h 0x0000000a test bx, ax 0x0000000d xor dword ptr [esp], 1168D9BEh 0x00000014 mov dword ptr [ebp+00000148h], 00000000h 0x0000001e add ebx, 04h 0x00000021 mov dword ptr [ebp+0000018Bh], esi 0x00000027 mov esi, ebx 0x00000029 push esi 0x0000002a mov esi, dword ptr [ebp+0000018Bh] 0x00000030 cmp ch, dh 0x00000032 mov dword ptr [ebp+000001E4h], ecx 0x00000038 mov ecx, 785B2C8Ch 0x0000003d test ebx, eax 0x0000003f test bx, bx 0x00000042 xor ecx, C683D913h 0x00000048 cmp dl, 00000035h 0x0000004b add ecx, 3D510807h 0x00000051 sub ecx, FC29FDA7h 0x00000057 pushad 0x00000058 mov esi, 00000084h 0x0000005d rdtsc
Source: C:\Users\user\Desktop\97bXaukEWl.exe RDTSC instruction interceptor: First address: 00000000021F92DD second address: 00000000021F92DD instructions:
Source: C:\Users\user\Desktop\97bXaukEWl.exe RDTSC instruction interceptor: First address: 00000000021F785E second address: 00000000021F785E instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 5C0051C0h 0x00000013 xor eax, 94AC04D9h 0x00000018 xor eax, B48B5376h 0x0000001d add eax, 83D8F992h 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007F5D4C9769F4h 0x0000002e popad 0x0000002f test ch, dh 0x00000031 call 00007F5D4C97645Bh 0x00000036 lfence 0x00000039 rdtsc
Source: C:\Users\user\Desktop\97bXaukEWl.exe RDTSC instruction interceptor: First address: 00000000021F031E second address: 00000000021F0397 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add dword ptr [esp], DD0EB426h 0x00000011 xor dword ptr [esp], A2789713h 0x00000018 cmp bx, dx 0x0000001b sub dword ptr [esp], 57D82723h 0x00000022 cmp dl, bl 0x00000024 push dword ptr [ebp+24h] 0x00000027 push B41326CDh 0x0000002c add dword ptr [esp], 5BFCB3E1h 0x00000033 xor dword ptr [esp], 23E80C5Ch 0x0000003a cmp dx, dx 0x0000003d xor dword ptr [esp], 33E7D6F2h 0x00000044 test eax, AA1C1C90h 0x00000049 test edi, C711A858h 0x0000004f mov dword ptr [ebp+0000022Ch], edi 0x00000055 cmp cx, cx 0x00000058 mov edi, 3881A7FFh 0x0000005d nop 0x0000005e sub edi, 3134FF81h 0x00000064 xor edi, E289D110h 0x0000006a add edi, 1A3A8692h 0x00000070 test dl, al 0x00000072 push edi 0x00000073 pushad 0x00000074 mov edi, 00000083h 0x00000079 rdtsc
Source: C:\Users\user\Desktop\97bXaukEWl.exe RDTSC instruction interceptor: First address: 00000000021F81EC second address: 00000000021F822F instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test edx, 94B68C09h 0x00000011 mov byte ptr [eax+02h], 00000037h 0x00000015 cmp ecx, 231EEF59h 0x0000001b xor byte ptr [eax+02h], 00000047h 0x0000001f test eax, ebx 0x00000021 xor byte ptr [eax+02h], FFFFFFD6h 0x00000025 cmp al, cl 0x00000027 sub byte ptr [eax+02h], FFFFFFEEh 0x0000002b test eax, 87C1F4F0h 0x00000030 mov edx, dword ptr [ebp+00000138h] 0x00000036 mov dword ptr [eax+03h], edx 0x00000039 mov byte ptr [eax+07h], 0000007Eh 0x0000003d cmp ah, ah 0x0000003f pushad 0x00000040 lfence 0x00000043 rdtsc
Source: C:\Users\user\Desktop\97bXaukEWl.exe RDTSC instruction interceptor: First address: 00000000021F54F3 second address: 00000000021F54F3 instructions:
Source: C:\Users\user\Desktop\97bXaukEWl.exe RDTSC instruction interceptor: First address: 00000000021F423B second address: 00000000021F429F instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add dword ptr [edi+00000400h], AE13020Fh 0x0000000d sub dword ptr [edi+00000400h], 1CB14038h 0x00000017 add edi, 00000800h 0x0000001d cmp eax, ebx 0x0000001f mov dword ptr [ebp+00000258h], esi 0x00000025 mov esi, edi 0x00000027 push esi 0x00000028 pushad 0x00000029 mov ax, FC9Dh 0x0000002d cmp ax, 0000FC9Dh 0x00000031 jne 00007F5D4C9726BBh 0x00000037 popad 0x00000038 mov esi, dword ptr [ebp+00000258h] 0x0000003e test ch, ah 0x00000040 sub edi, 00000400h 0x00000046 push edi 0x00000047 mov dword ptr [ebp+000001C6h], ecx 0x0000004d cmp ax, 000007EAh 0x00000051 mov ecx, ED8EAE1Fh 0x00000056 test edx, eax 0x00000058 sub ecx, 1F47D02Eh 0x0000005e pushad 0x0000005f mov edx, 00000012h 0x00000064 rdtsc
Source: C:\Users\user\Desktop\97bXaukEWl.exe RDTSC instruction interceptor: First address: 00000000021F429F second address: 00000000021F431B instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 xor ecx, B78BEEF4h 0x00000009 sub ecx, 79CD3305h 0x0000000f cmp eax, ebx 0x00000011 push ecx 0x00000012 mov ecx, dword ptr [ebp+000001C6h] 0x00000018 pushad 0x00000019 mov ax, 5815h 0x0000001d cmp ax, 00005815h 0x00000021 jne 00007F5D4C975DA7h 0x00000027 popad 0x00000028 mov dword ptr [ebp+00000267h], edx 0x0000002e test ch, ah 0x00000030 mov edx, 8B79DAF0h 0x00000035 sub edx, F6E40DCFh 0x0000003b cmp dl, cl 0x0000003d xor edx, 76741942h 0x00000043 cmp ch, FFFFFFEBh 0x00000046 add edx, 1D1E2B9Dh 0x0000004c push edx 0x0000004d mov edx, dword ptr [ebp+00000267h] 0x00000053 cmp dh, ch 0x00000055 push B85066C5h 0x0000005a sub dword ptr [esp], DCEC679Bh 0x00000061 xor dword ptr [esp], 7F44C44Fh 0x00000068 cmp ecx, 5F196E4Eh 0x0000006e add dword ptr [esp], 5BD8C49Fh 0x00000075 mov dword ptr [ebp+000001D2h], ebx 0x0000007b pushad 0x0000007c rdtsc
Source: C:\Users\user\Desktop\97bXaukEWl.exe RDTSC instruction interceptor: First address: 00000000021F431B second address: 00000000021F431B instructions:
Source: C:\Users\user\Desktop\97bXaukEWl.exe RDTSC instruction interceptor: First address: 00000000021F6AC5 second address: 00000000021F6AC5 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp byte ptr [eax], cl 0x0000000d mov ecx, dword ptr [ebp+000001EBh] 0x00000013 jne 00007F5D4C9799F6h 0x00000015 cmp eax, eax 0x00000017 mov dl, byte ptr [eax] 0x00000019 mov byte ptr [ebx], dl 0x0000001b cmp ecx, edx 0x0000001d add eax, 02h 0x00000020 add ebx, 02h 0x00000023 add ecx, 02h 0x00000026 mov dword ptr [ebp+000001EBh], ecx 0x0000002c test cx, ax 0x0000002f mov ecx, 8BD2E791h 0x00000034 test ecx, eax 0x00000036 xor ecx, 5E03D163h 0x0000003c add ecx, 15B5ED3Ch 0x00000042 xor ecx, EB87242Eh 0x00000048 pushad 0x00000049 lfence 0x0000004c rdtsc
Source: C:\Users\user\Desktop\97bXaukEWl.exe RDTSC instruction interceptor: First address: 00000000021F4503 second address: 00000000021F453E instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor dword ptr [edi-04h], A6386E0Bh 0x00000011 xor dword ptr [edi-04h], B9D6F6F7h 0x00000018 cmp cx, ax 0x0000001b add dword ptr [edi-04h], 7462BF15h 0x00000022 test cx, cx 0x00000025 sub edi, 08h 0x00000028 mov dword ptr [ebp+00000273h], ebx 0x0000002e cmp dx, BBD8h 0x00000033 mov ebx, edi 0x00000035 pushad 0x00000036 mov esi, 00000075h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\97bXaukEWl.exe RDTSC instruction interceptor: First address: 00000000021F49A9 second address: 00000000021F49F6 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov dword ptr [ebp+0000020Bh], esi 0x00000011 mov esi, eax 0x00000013 cmp ch, FFFFFF92h 0x00000016 push esi 0x00000017 test ebx, 9D1B03B2h 0x0000001d mov esi, dword ptr [ebp+0000020Bh] 0x00000023 pushad 0x00000024 mov cx, FBE3h 0x00000028 cmp cx, FBE3h 0x0000002d jne 00007F5D4C975691h 0x00000033 popad 0x00000034 mov dword ptr [ebp+00000211h], ecx 0x0000003a mov ecx, 9C111FBCh 0x0000003f test al, al 0x00000041 cmp ecx, eax 0x00000043 xor ecx, E8D4BD1Ch 0x00000049 pushad 0x0000004a lfence 0x0000004d rdtsc
Source: C:\Users\user\Desktop\97bXaukEWl.exe RDTSC instruction interceptor: First address: 00000000021F4CB8 second address: 00000000021F4D88 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov dword ptr [ebp+00000100h], F6F0BFE9h 0x00000015 jmp 00007F5D4C976342h 0x00000017 xor dword ptr [ebp+00000100h], B2BDCA7Eh 0x00000021 add dword ptr [ebp+00000100h], 0276E553h 0x0000002b add dword ptr [ebp+00000100h], B94BA516h 0x00000035 cmp bh, FFFFFF8Dh 0x00000038 mov ebx, ebp 0x0000003a add ebx, 00000100h 0x00000040 cmp al, cl 0x00000042 mov dword ptr [ebp+000001A4h], esi 0x00000048 mov esi, ebx 0x0000004a push esi 0x0000004b mov esi, dword ptr [ebp+000001A4h] 0x00000051 cmp bl, bl 0x00000053 push 77130013h 0x00000058 xor dword ptr [esp], 6830176Dh 0x0000005f cld 0x00000060 xor dword ptr [esp], 455A7242h 0x00000067 test dl, al 0x00000069 xor dword ptr [esp], 5A79653Ch 0x00000070 mov dword ptr [ebp+00000104h], B7F099FDh 0x0000007a test ecx, 83670C26h 0x00000080 test bl, cl 0x00000082 xor dword ptr [ebp+00000104h], 1230A70Dh 0x0000008c pushad 0x0000008d lfence 0x00000090 rdtsc
Source: C:\Users\user\Desktop\97bXaukEWl.exe RDTSC instruction interceptor: First address: 00000000005673F6 second address: 00000000005674C0 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov edx, 2A63ED14h 0x00000010 cmp ax, dx 0x00000013 xor edx, 8CD6B9A0h 0x00000019 xor edx, 8DA3C863h 0x0000001f cmp eax, ecx 0x00000021 sub edx, 2B169CD7h 0x00000027 test ebx, E044EBDBh 0x0000002d cmp ebx, edx 0x0000002f mov edx, dword ptr [ebp+00000238h] 0x00000035 je 00007F5D4C979AC8h 0x0000003b fnop 0x0000003d mov dword ptr [ebp+00000222h], eax 0x00000043 pushad 0x00000044 mov bh, 9Ah 0x00000046 cmp bh, FFFFFF9Ah 0x00000049 jne 00007F5D4C976622h 0x0000004f popad 0x00000050 mov eax, ebx 0x00000052 push eax 0x00000053 mov eax, dword ptr [ebp+00000222h] 0x00000059 test dl, 0000005Ah 0x0000005c cmp cx, dx 0x0000005f call 00007F5D4C979AA7h 0x00000064 pushad 0x00000065 lfence 0x00000068 rdtsc
Source: C:\Users\user\Desktop\97bXaukEWl.exe RDTSC instruction interceptor: First address: 00000000005658DE second address: 000000000056593B instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 sub dword ptr [esp], F2A63F26h 0x0000000a test bx, ax 0x0000000d xor dword ptr [esp], 1168D9BEh 0x00000014 mov dword ptr [ebp+00000148h], 00000000h 0x0000001e add ebx, 04h 0x00000021 mov dword ptr [ebp+0000018Bh], esi 0x00000027 mov esi, ebx 0x00000029 push esi 0x0000002a mov esi, dword ptr [ebp+0000018Bh] 0x00000030 cmp ch, dh 0x00000032 mov dword ptr [ebp+000001E4h], ecx 0x00000038 mov ecx, 785B2C8Ch 0x0000003d test ebx, eax 0x0000003f test bx, bx 0x00000042 xor ecx, C683D913h 0x00000048 cmp dl, 00000035h 0x0000004b add ecx, 3D510807h 0x00000051 sub ecx, FC29FDA7h 0x00000057 pushad 0x00000058 mov esi, 00000084h 0x0000005d rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F7EA7 rdtsc 0_2_021F7EA7
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: 97bXaukEWl.exe, 00000000.00000002.977929920.0000000002200000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: 97bXaukEWl.exe, 00000000.00000002.977929920.0000000002200000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\97bXaukEWl.exe System information queried: ModuleInformation Jump to behavior

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\97bXaukEWl.exe Process Stats: CPU usage > 90% for more than 60s
Hides threads from debuggers
Source: C:\Users\user\Desktop\97bXaukEWl.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\97bXaukEWl.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F7EA7 rdtsc 0_2_021F7EA7
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F6352 LdrInitializeThunk, 0_2_021F6352
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F7E1F mov eax, dword ptr fs:[00000030h] 0_2_021F7E1F
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F6E4F mov eax, dword ptr fs:[00000030h] 0_2_021F6E4F
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F2A4A mov eax, dword ptr fs:[00000030h] 0_2_021F2A4A
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F73A9 mov eax, dword ptr fs:[00000030h] 0_2_021F73A9
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F5403 mov eax, dword ptr fs:[00000030h] 0_2_021F5403
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F8029 mov eax, dword ptr fs:[00000030h] 0_2_021F8029
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 0_2_021F352B mov eax, dword ptr fs:[00000030h] 0_2_021F352B
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_0056352B mov eax, dword ptr fs:[00000030h] 16_2_0056352B
Source: C:\Users\user\Desktop\97bXaukEWl.exe Code function: 16_2_00566E4F mov eax, dword ptr fs:[00000030h] 16_2_00566E4F
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\97bXaukEWl.exe Process created: C:\Users\user\Desktop\97bXaukEWl.exe 'C:\Users\user\Desktop\97bXaukEWl.exe' Jump to behavior
Source: 97bXaukEWl.exe, 00000010.00000002.1723555308.0000000000ED0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: 97bXaukEWl.exe, 00000010.00000002.1723555308.0000000000ED0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: 97bXaukEWl.exe, 00000010.00000002.1723555308.0000000000ED0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: 97bXaukEWl.exe, 00000010.00000002.1723555308.0000000000ED0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Stealing of Sensitive Information:

barindex
GuLoader behavior detected
Source: Initial file Signature Results: GuLoader behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 457852 Sample: 97bXaukEWl.exe Startdate: 02/08/2021 Architecture: WINDOWS Score: 100 11 Found malware configuration 2->11 13 Multi AV Scanner detection for submitted file 2->13 15 GuLoader behavior detected 2->15 17 3 other signatures 2->17 6 97bXaukEWl.exe 2->6         started        process3 signatures4 19 Contains functionality to detect hardware virtualization (CPUID execution measurement) 6->19 21 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 6->21 23 Tries to detect Any.run 6->23 25 3 other signatures 6->25 9 97bXaukEWl.exe 6->9         started        process5
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://kinmirai.org/wp-content/bin_NIapfDNXM183.bin true
  • Avira URL Cloud: safe
 unknown