Source: 00000001.00000002.725863057.0000000002170000.00000040.00000001.sdmp | Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_PRUuqVZw139.bin"} |
Source: loKmeabs9V.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor | URLs: http://101.99.94.119/WEALTH_PRUuqVZw139.bin |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02175971 NtAllocateVirtualMemory, |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02175971 |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02177C19 |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02178030 |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02174230 |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02173A2E |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_0217962D |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02171654 |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02179653 |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_0217245A |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02175844 |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02178294 |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02172C93 |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02173C9E |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_0217629C |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_0217149C |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02178098 |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02178687 |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02172889 |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_021730BC |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02170CAC |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02174CD0 |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_021782DC |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_021736C3 |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_021746C8 |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02173EE1 |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_0217151C |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02178324 |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02178923 |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02177921 |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02174352 |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02171D5A |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02171940 |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02170571 |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02174B96 |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_021711B4 |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02175DAE |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02170BC7 |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_021719F4 |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02175BF3 |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_021741E6 |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_021787E3 |
Source: loKmeabs9V.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: loKmeabs9V.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: loKmeabs9V.exe, 00000001.00000002.725664691.0000000002090000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenameuser32j% vs loKmeabs9V.exe |
Source: loKmeabs9V.exe, 00000001.00000002.724408573.0000000000417000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameTROSSKIFTERNES.exe vs loKmeabs9V.exe |
Source: loKmeabs9V.exe | Binary or memory string: OriginalFilenameTROSSKIFTERNES.exe vs loKmeabs9V.exe |
Source: loKmeabs9V.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine | Classification label: mal84.troj.evad.winEXE@1/0@0/0 |
Source: loKmeabs9V.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: loKmeabs9V.exe | Virustotal: Detection: 20% |
Source: Yara match | File source: 00000001.00000002.725863057.0000000002170000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_00404DCC push edx; iretd |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_004059BD push F32E5D69h; retf |
Source: initial sample | Static PE information: section name: .text entropy: 7.07623900315 |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_0217629C |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_021736C3 |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02178923 |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02175DAE |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02170BC7 |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_021787E3 |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | RDTSC instruction interceptor: First address: 0000000002177F30 second address: 0000000002177F30 instructions: 0x00000000 rdtsc 0x00000002 mov eax, A494EE6Bh 0x00000007 xor eax, 6C4D1677h 0x0000000c xor eax, 6E4EF001h 0x00000011 xor eax, A697081Ch 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FF014CB631Ah 0x0000001e lfence 0x00000021 mov edx, 2EA7C992h 0x00000026 xor edx, 079D8C51h 0x0000002c xor edx, 2142E10Eh 0x00000032 xor edx, 7786A4D9h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d cmp dx, ax 0x00000040 ret 0x00000041 sub edx, esi 0x00000043 ret 0x00000044 cmp cl, dl 0x00000046 add edi, edx 0x00000048 dec dword ptr [ebp+000000F8h] 0x0000004e cmp dword ptr [ebp+000000F8h], 00000000h 0x00000055 jne 00007FF014CB62F8h 0x00000057 test eax, ebx 0x00000059 call 00007FF014CB635Fh 0x0000005e call 00007FF014CB633Bh 0x00000063 lfence 0x00000066 mov edx, 2EA7C992h 0x0000006b xor edx, 079D8C51h 0x00000071 xor edx, 2142E10Eh 0x00000077 xor edx, 7786A4D9h 0x0000007d mov edx, dword ptr [edx] 0x0000007f lfence 0x00000082 cmp dx, ax 0x00000085 ret 0x00000086 mov esi, edx 0x00000088 pushad 0x00000089 rdtsc |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02177C19 rdtsc |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02177C19 rdtsc |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02172C93 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_0217548E mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_021736C3 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_02177B16 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_021773F1 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_021787E3 mov eax, dword ptr fs:[00000030h] |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: loKmeabs9V.exe, 00000001.00000002.725388156.0000000000C50000.00000002.00000001.sdmp | Binary or memory string: Program Manager |
Source: loKmeabs9V.exe, 00000001.00000002.725388156.0000000000C50000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: loKmeabs9V.exe, 00000001.00000002.725388156.0000000000C50000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: loKmeabs9V.exe, 00000001.00000002.725388156.0000000000C50000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Source: C:\Users\user\Desktop\loKmeabs9V.exe | Code function: 1_2_021773AF cpuid |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.