{"Payload URL": "http://101.99.94.119/WEALTH_PRUuqVZw139.bin^"}
Source: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp | Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_PRUuqVZw139.bin^"} |
Source: LzbZ4T1iV8.exe | Virustotal: Detection: 17% | Perma Link |
Source: LzbZ4T1iV8.exe | ReversingLabs: Detection: 17% |
Source: LzbZ4T1iV8.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor | URLs: http://101.99.94.119/WEALTH_PRUuqVZw139.bin^ |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_021758B1 NtAllocateVirtualMemory, | 1_2_021758B1 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_021758FA NtAllocateVirtualMemory, | 1_2_021758FA |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_00404478 | 1_2_00404478 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_00404418 | 1_2_00404418 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_00404834 | 1_2_00404834 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_004036F0 | 1_2_004036F0 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_004034F4 | 1_2_004034F4 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_00403488 | 1_2_00403488 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_004046B4 | 1_2_004046B4 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_00404774 | 1_2_00404774 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_00404534 | 1_2_00404534 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_004045F4 | 1_2_004045F4 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_004035B2 | 1_2_004035B2 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_004043B8 | 1_2_004043B8 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_021758B1 | 1_2_021758B1 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_02174C19 | 1_2_02174C19 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_0217424C | 1_2_0217424C |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_02173C48 | 1_2_02173C48 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_0217249F | 1_2_0217249F |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_02172899 | 1_2_02172899 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_0217808E | 1_2_0217808E |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_021756A3 | 1_2_021756A3 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_02172EA2 | 1_2_02172EA2 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_02177AD9 | 1_2_02177AD9 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_021742C4 | 1_2_021742C4 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_021720C0 | 1_2_021720C0 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_02172CF2 | 1_2_02172CF2 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_021720FE | 1_2_021720FE |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_02177F34 | 1_2_02177F34 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_0217474F | 1_2_0217474F |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_02171D73 | 1_2_02171D73 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_02170567 | 1_2_02170567 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_02171D68 | 1_2_02171D68 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_02173FBC | 1_2_02173FBC |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_021743A8 | 1_2_021743A8 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_021761C5 | 1_2_021761C5 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_021777FF | 1_2_021777FF |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_021793FB | 1_2_021793FB |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_021793EC | 1_2_021793EC |
Source: LzbZ4T1iV8.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: LzbZ4T1iV8.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: LzbZ4T1iV8.exe, 00000001.00000002.741169709.0000000000417000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameGYMNOSPERMAE.exe vs LzbZ4T1iV8.exe |
Source: LzbZ4T1iV8.exe, 00000001.00000002.742262419.0000000002120000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenameuser32j% vs LzbZ4T1iV8.exe |
Source: LzbZ4T1iV8.exe | Binary or memory string: OriginalFilenameGYMNOSPERMAE.exe vs LzbZ4T1iV8.exe |
Source: LzbZ4T1iV8.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine | Classification label: mal84.troj.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | File created: C:\Users\user\AppData\Local\Temp\~DFE493499F9C12E32C.TMP | Jump to behavior |
Source: LzbZ4T1iV8.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Section loaded: C:\Windows\SysWOW64\msvbvm60.dll | Jump to behavior |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: LzbZ4T1iV8.exe | Virustotal: Detection: 17% |
Source: LzbZ4T1iV8.exe | ReversingLabs: Detection: 17% |
Source: Yara match | File source: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_004018D2 push fs; retf | 1_2_004018D4 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_0217A006 pushfd ; iretd | 1_2_0217A007 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_0217662F push cs; iretd | 1_2_02176630 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_02176075 push 39F54C89h; retf | 1_2_0217607A |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_02178694 push E886E32Ah; iretd | 1_2_0217869C |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_02179F30 pushfd ; retf | 1_2_02179F43 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_02175D44 push edx; ret | 1_2_02175D4A |
Source: initial sample | Static PE information: section name: .text entropy: 7.08169017725 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | RDTSC instruction interceptor: First address: 0000000002177542 second address: 0000000002177542 instructions: |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | RDTSC instruction interceptor: First address: 00000000021774C3 second address: 0000000002177542 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push D90E6CFBh 0x00000010 call 00007FEAE0DD0522h 0x00000015 mov dword ptr [ebp+04h], eax 0x00000018 mov ebx, dword ptr [eax+3Ch] 0x0000001b add eax, ebx 0x0000001d mov ebx, dword ptr [eax+78h] 0x00000020 mov eax, dword ptr [ebp+04h] 0x00000023 add eax, ebx 0x00000025 mov ecx, dword ptr [eax+18h] 0x00000028 mov dword ptr [ebp+08h], ecx 0x0000002b mov ecx, dword ptr [eax+1Ch] 0x0000002e mov dword ptr [ebp+14h], ecx 0x00000031 mov ecx, dword ptr [eax+24h] 0x00000034 mov dword ptr [ebp+10h], ecx 0x00000037 mov esi, dword ptr [eax+20h] 0x0000003a add esi, dword ptr [ebp+04h] 0x0000003d xor ecx, ecx 0x0000003f mov edx, dword ptr [esi] 0x00000041 add edx, dword ptr [ebp+04h] 0x00000044 mov dword ptr [ebp+000001F3h], eax 0x0000004a test si, 2E1Ah 0x0000004f mov eax, ecx 0x00000051 push eax 0x00000052 mov eax, dword ptr [ebp+000001F3h] 0x00000058 mov dword ptr [ebp+000001C8h], ebx 0x0000005e mov ebx, esi 0x00000060 push ebx 0x00000061 pushad 0x00000062 rdtsc |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | RDTSC instruction interceptor: First address: 0000000002177542 second address: 0000000002177542 instructions: |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | RDTSC instruction interceptor: First address: 000000000217734C second address: 000000000217734C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 inc ebx 0x00000004 inc edx 0x00000005 dec ecx 0x00000006 test ecx, ecx 0x00000008 jne 00007FEAE0DD04EEh 0x0000000a mov al, byte ptr [edx] 0x0000000c mov byte ptr [ebx], al 0x0000000e pushad 0x0000000f mov ecx, 00000009h 0x00000014 rdtsc |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | RDTSC instruction interceptor: First address: 0000000002178236 second address: 0000000002178261 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b sub esi, 6F48A402h 0x00000011 cmp dword ptr [edi+14h], esi 0x00000014 mov esi, dword ptr [ebp+000001F0h] 0x0000001a je 00007FEAE0DEEEE5h 0x0000001c mov dword ptr [ebp+00000246h], eax 0x00000022 mov eax, 3E9A0B50h 0x00000027 pushad 0x00000028 lfence 0x0000002b rdtsc |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | RDTSC instruction interceptor: First address: 0000000002177D0C second address: 0000000002177D0C instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00B1C905h 0x00000007 xor eax, AE894D5Ah 0x0000000c xor eax, 9A90F0F9h 0x00000011 add eax, CB578B5Bh 0x00000016 cpuid 0x00000018 test ch, dh 0x0000001a popad 0x0000001b call 00007FEAE0DD050Bh 0x00000020 lfence 0x00000023 mov edx, 770EC33Bh 0x00000028 sub edx, 4238A07Dh 0x0000002e xor edx, 9CFEAEA4h 0x00000034 xor edx, D7D68C0Eh 0x0000003a mov edx, dword ptr [edx] 0x0000003c lfence 0x0000003f jmp 00007FEAE0DD05E9h 0x00000044 test ch, ah 0x00000046 ret 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a add edi, edx 0x0000004c dec dword ptr [ebp+000000F8h] 0x00000052 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000059 jne 00007FEAE0DD04EAh 0x0000005b cmp edx, eax 0x0000005d call 00007FEAE0DD054Ch 0x00000062 call 00007FEAE0DD052Eh 0x00000067 lfence 0x0000006a mov edx, 770EC33Bh 0x0000006f sub edx, 4238A07Dh 0x00000075 xor edx, 9CFEAEA4h 0x0000007b xor edx, D7D68C0Eh 0x00000081 mov edx, dword ptr [edx] 0x00000083 lfence 0x00000086 jmp 00007FEAE0DD05E9h 0x0000008b test ch, ah 0x0000008d ret 0x0000008e mov esi, edx 0x00000090 pushad 0x00000091 rdtsc |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_021758B1 rdtsc | 1_2_021758B1 |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_021758B1 rdtsc | 1_2_021758B1 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_02175461 mov eax, dword ptr fs:[00000030h] | 1_2_02175461 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_02172CF2 mov eax, dword ptr fs:[00000030h] | 1_2_02172CF2 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_021778E2 mov eax, dword ptr fs:[00000030h] | 1_2_021778E2 |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_0217735B mov eax, dword ptr fs:[00000030h] | 1_2_0217735B |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: LzbZ4T1iV8.exe, 00000001.00000002.741953345.0000000000C50000.00000002.00000001.sdmp | Binary or memory string: Program Manager |
Source: LzbZ4T1iV8.exe, 00000001.00000002.741953345.0000000000C50000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: LzbZ4T1iV8.exe, 00000001.00000002.741953345.0000000000C50000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: LzbZ4T1iV8.exe, 00000001.00000002.741953345.0000000000C50000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe | Code function: 1_2_00401A45 cpuid | 1_2_00401A45 |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.