{"Payload URL": "http://101.99.94.119/WEALTH_PRUu"}
Source: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp | Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_PRUu"} |
Source: kGSHiWbgq9.exe | Virustotal: Detection: 21% | Perma Link |
Source: kGSHiWbgq9.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor | URLs: http://101.99.94.119/WEALTH_PRUu |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02465968 NtAllocateVirtualMemory, | 0_2_02465968 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02465A62 NtAllocateVirtualMemory, | 0_2_02465A62 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02465968 | 0_2_02465968 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02460211 | 0_2_02460211 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02464339 | 0_2_02464339 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_024640B7 | 0_2_024640B7 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_024686DB | 0_2_024686DB |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_024686F4 | 0_2_024686F4 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02465781 | 0_2_02465781 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_0246443A | 0_2_0246443A |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_024694D8 | 0_2_024694D8 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_0246853B | 0_2_0246853B |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_024695C6 | 0_2_024695C6 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_024685E7 | 0_2_024685E7 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_024605A1 | 0_2_024605A1 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02465A62 | 0_2_02465A62 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02462A77 | 0_2_02462A77 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02467A7A | 0_2_02467A7A |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02460B59 | 0_2_02460B59 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02460BDC | 0_2_02460BDC |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02463BFF | 0_2_02463BFF |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02462873 | 0_2_02462873 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02468802 | 0_2_02468802 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02461900 | 0_2_02461900 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_0246891F | 0_2_0246891F |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02467E5C | 0_2_02467E5C |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02460ED2 | 0_2_02460ED2 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02461E99 | 0_2_02461E99 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02462FD3 | 0_2_02462FD3 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02468C2C | 0_2_02468C2C |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02463CEF | 0_2_02463CEF |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02463CF2 | 0_2_02463CF2 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02460CFA | 0_2_02460CFA |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02465D78 | 0_2_02465D78 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02462D3B | 0_2_02462D3B |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02460DD5 | 0_2_02460DD5 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02461DA0 | 0_2_02461DA0 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02464DB6 | 0_2_02464DB6 |
Source: kGSHiWbgq9.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: kGSHiWbgq9.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: kGSHiWbgq9.exe, 00000000.00000002.769800514.00000000021E0000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenameuser32j% vs kGSHiWbgq9.exe |
Source: kGSHiWbgq9.exe, 00000000.00000002.767741983.0000000000417000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenamePAAKLDENDE.exe vs kGSHiWbgq9.exe |
Source: kGSHiWbgq9.exe | Binary or memory string: OriginalFilenamePAAKLDENDE.exe vs kGSHiWbgq9.exe |
Source: kGSHiWbgq9.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine | Classification label: mal88.troj.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | File created: C:\Users\user~1\AppData\Local\Temp\~DF0A4DA332BC76A601.TMP | Jump to behavior |
Source: kGSHiWbgq9.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Section loaded: C:\Windows\SysWOW64\msvbvm60.dll | Jump to behavior |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: kGSHiWbgq9.exe | Virustotal: Detection: 21% |
Source: Yara match | File source: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_00408873 push esp; ret | 0_2_00408877 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_004088C0 push esp; ret | 0_2_004088CB |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_004014E9 push es; ret | 0_2_004014EA |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_00408CB2 push esi; ret | 0_2_00408CB3 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_0040891C push esi; retf | 0_2_0040892F |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_00407D36 pushad ; iretd | 0_2_00407D3B |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_00408672 push esi; ret | 0_2_00408677 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_00407E22 push ds; iretd | 0_2_00407E27 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_00408624 push esp; ret | 0_2_00408627 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_00408ADE push esi; retf | 0_2_00408ADF |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_00408695 push esi; ret | 0_2_00408677 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02466625 push ebp; iretd | 0_2_02466637 |
Source: initial sample | Static PE information: section name: .text entropy: 7.07266809617 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02460B59 | 0_2_02460B59 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02460BDC | 0_2_02460BDC |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02462FD3 | 0_2_02462FD3 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02460CFA | 0_2_02460CFA |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02462D3B | 0_2_02462D3B |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02460DD5 | 0_2_02460DD5 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | RDTSC instruction interceptor: First address: 0000000002460298 second address: 0000000002460298 instructions: |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | RDTSC instruction interceptor: First address: 0000000002467EAD second address: 0000000002467EAD instructions: |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | RDTSC instruction interceptor: First address: 0000000002469858 second address: 0000000002469858 instructions: |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | RDTSC instruction interceptor: First address: 0000000002460298 second address: 0000000002460298 instructions: |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | RDTSC instruction interceptor: First address: 0000000002467EAD second address: 0000000002467EAD instructions: |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | RDTSC instruction interceptor: First address: 0000000002469858 second address: 0000000002469858 instructions: |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | RDTSC instruction interceptor: First address: 0000000002467CB5 second address: 0000000002467CB5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 8D6257E7h 0x00000007 xor eax, D6E50CE5h 0x0000000c xor eax, CD304DCCh 0x00000011 add eax, 6948E933h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F7834E0F173h 0x0000001e lfence 0x00000021 mov edx, 617AD252h 0x00000026 xor edx, 84973C64h 0x0000002c xor edx, 903C3D1Eh 0x00000032 xor edx, 0A2FD33Ch 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d cmp edx, 53D52FB7h 0x00000043 cmp ah, ch 0x00000045 test cl, bl 0x00000047 ret 0x00000048 jmp 00007F7834E0F169h 0x0000004d cmp ch, dh 0x0000004f sub edx, esi 0x00000051 ret 0x00000052 add edi, edx 0x00000054 dec dword ptr [ebp+000000F8h] 0x0000005a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000061 jne 00007F7834E0F06Ch 0x00000063 call 00007F7834E0F0C7h 0x00000068 call 00007F7834E0F194h 0x0000006d lfence 0x00000070 mov edx, 617AD252h 0x00000075 xor edx, 84973C64h 0x0000007b xor edx, 903C3D1Eh 0x00000081 xor edx, 0A2FD33Ch 0x00000087 mov edx, dword ptr [edx] 0x00000089 lfence 0x0000008c cmp edx, 53D52FB7h 0x00000092 cmp ah, ch 0x00000094 test cl, bl 0x00000096 ret 0x00000097 mov esi, edx 0x00000099 pushad 0x0000009a rdtsc |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02460211 rdtsc | 0_2_02460211 |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02460211 rdtsc | 0_2_02460211 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_024673B4 mov eax, dword ptr fs:[00000030h] | 0_2_024673B4 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02463441 mov eax, dword ptr fs:[00000030h] | 0_2_02463441 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_0246853B mov eax, dword ptr fs:[00000030h] | 0_2_0246853B |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02465589 mov eax, dword ptr fs:[00000030h] | 0_2_02465589 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02467898 mov eax, dword ptr fs:[00000030h] | 0_2_02467898 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe | Code function: 0_2_02462D3B mov eax, dword ptr fs:[00000030h] | 0_2_02462D3B |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: kGSHiWbgq9.exe, 00000000.00000002.769113256.0000000000D60000.00000002.00000001.sdmp | Binary or memory string: uProgram Manager |
Source: kGSHiWbgq9.exe, 00000000.00000002.769113256.0000000000D60000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: kGSHiWbgq9.exe, 00000000.00000002.769113256.0000000000D60000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: kGSHiWbgq9.exe, 00000000.00000002.769113256.0000000000D60000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.