Windows Analysis Report 7keerHhHvn.exe

Overview

General Information

Sample Name: 7keerHhHvn.exe
Analysis ID: 458550
MD5: 782783574d2d4b67666b77b686c2e673
SHA1: 8eeec0963fa7eaf3115335c03315ecc203babf9b
SHA256: 0d2aeb4a2f85b9bf8ae3990a3ddea5a242d0db5186263e3ccf2435bbc48ec478
Tags: exeMalware
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Detected potential crypto function
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?cid=6D6F7"}
Multi AV Scanner detection for submitted file
Source: 7keerHhHvn.exe Virustotal: Detection: 25% Perma Link
Machine Learning detection for sample
Source: 7keerHhHvn.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: 7keerHhHvn.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://onedrive.live.com/download?cid=6D6F7

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_004028BC GetAsyncKeyState, 0_2_004028BC

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\7keerHhHvn.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D76825 NtAllocateVirtualMemory, 0_2_02D76825
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D7687F NtAllocateVirtualMemory, 0_2_02D7687F
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D769A7 NtAllocateVirtualMemory, 0_2_02D769A7
Detected potential crypto function
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D76825 0_2_02D76825
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D794D7 0_2_02D794D7
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D792D3 0_2_02D792D3
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D76EDC 0_2_02D76EDC
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D798C4 0_2_02D798C4
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D714C4 0_2_02D714C4
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D74ACE 0_2_02D74ACE
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D78ECA 0_2_02D78ECA
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D746CA 0_2_02D746CA
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D73CF4 0_2_02D73CF4
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D74AF4 0_2_02D74AF4
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D7A0FC 0_2_02D7A0FC
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D730F8 0_2_02D730F8
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D72AEE 0_2_02D72AEE
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D7AEBF 0_2_02D7AEBF
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D706BD 0_2_02D706BD
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D792BA 0_2_02D792BA
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D72AAE 0_2_02D72AAE
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D79E57 0_2_02D79E57
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D7245B 0_2_02D7245B
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D72C58 0_2_02D72C58
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D7AE46 0_2_02D7AE46
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D73445 0_2_02D73445
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D74C43 0_2_02D74C43
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D7304D 0_2_02D7304D
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D7687F 0_2_02D7687F
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D7A478 0_2_02D7A478
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D75262 0_2_02D75262
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D74817 0_2_02D74817
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D7A015 0_2_02D7A015
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D73219 0_2_02D73219
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D73018 0_2_02D73018
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D71218 0_2_02D71218
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D74234 0_2_02D74234
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D74A23 0_2_02D74A23
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D7082B 0_2_02D7082B
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D70FDD 0_2_02D70FDD
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D79BD9 0_2_02D79BD9
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D715C7 0_2_02D715C7
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D78DC3 0_2_02D78DC3
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D73FC9 0_2_02D73FC9
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D73BF4 0_2_02D73BF4
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D793FA 0_2_02D793FA
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D73FF9 0_2_02D73FF9
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D74FF9 0_2_02D74FF9
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D76FE2 0_2_02D76FE2
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D76D95 0_2_02D76D95
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D79D9A 0_2_02D79D9A
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D70F85 0_2_02D70F85
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D73D83 0_2_02D73D83
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D79B89 0_2_02D79B89
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D76DB1 0_2_02D76DB1
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D7AFBE 0_2_02D7AFBE
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D7B3BA 0_2_02D7B3BA
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D745B8 0_2_02D745B8
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D747AE 0_2_02D747AE
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D7ADAB 0_2_02D7ADAB
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D7AF52 0_2_02D7AF52
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D74551 0_2_02D74551
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D7655D 0_2_02D7655D
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D7AD47 0_2_02D7AD47
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D71174 0_2_02D71174
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D72D70 0_2_02D72D70
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D74970 0_2_02D74970
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D7417B 0_2_02D7417B
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D74D78 0_2_02D74D78
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D71F6E 0_2_02D71F6E
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D7156A 0_2_02D7156A
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D74F07 0_2_02D74F07
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D7090B 0_2_02D7090B
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D7490B 0_2_02D7490B
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D74B36 0_2_02D74B36
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D7AD35 0_2_02D7AD35
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D71331 0_2_02D71331
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D72B31 0_2_02D72B31
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D73325 0_2_02D73325
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D79F2C 0_2_02D79F2C
Sample file is different than original file name gathered from version info
Source: 7keerHhHvn.exe, 00000000.00000002.761350467.0000000002270000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs 7keerHhHvn.exe
Source: 7keerHhHvn.exe, 00000000.00000002.760792159.0000000000423000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameAbsurditiesun.exe vs 7keerHhHvn.exe
Source: 7keerHhHvn.exe Binary or memory string: OriginalFilenameAbsurditiesun.exe vs 7keerHhHvn.exe
Uses 32bit PE files
Source: 7keerHhHvn.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal84.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\7keerHhHvn.exe File created: C:\Users\user\AppData\Local\Temp\~DF8F1F4DFF04104EF7.TMP Jump to behavior
Source: 7keerHhHvn.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\7keerHhHvn.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\7keerHhHvn.exe File read: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\7keerHhHvn.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 7keerHhHvn.exe Virustotal: Detection: 25%
Source: C:\Users\user\Desktop\7keerHhHvn.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4a04656d-52aa-49de-8a09-cb178760e748}\InProcServer32 Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_004066EE push edx; iretd 0_2_004066EF
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_00407D67 push es; ret 0_2_00407D68
Source: C:\Users\user\Desktop\7keerHhHvn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7keerHhHvn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7keerHhHvn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7keerHhHvn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D70FDD 0_2_02D70FDD
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D70F85 0_2_02D70F85
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\7keerHhHvn.exe RDTSC instruction interceptor: First address: 0000000002D76090 second address: 0000000002D76090 instructions: 0x00000000 rdtsc 0x00000002 mov eax, D06691AFh 0x00000007 xor eax, 51795B17h 0x0000000c sub eax, E89895FEh 0x00000011 sub eax, 988734B9h 0x00000016 cpuid 0x00000018 jmp 00007FDE10E500D6h 0x0000001a test bx, 62F2h 0x0000001f popad 0x00000020 call 00007FDE10E5008Ch 0x00000025 lfence 0x00000028 mov edx, 3126F457h 0x0000002d xor edx, A11635D2h 0x00000033 xor edx, 122A2AF9h 0x00000039 xor edx, FDE4EB68h 0x0000003f mov edx, dword ptr [edx] 0x00000041 lfence 0x00000044 ret 0x00000045 cmp dh, ch 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a test ah, dh 0x0000004c pop ecx 0x0000004d add edi, edx 0x0000004f dec ecx 0x00000050 mov dword ptr [ebp+0000017Ch], 339F83C1h 0x0000005a sub dword ptr [ebp+0000017Ch], 00B60B54h 0x00000064 sub dword ptr [ebp+0000017Ch], 2594365Ah 0x0000006e add dword ptr [ebp+0000017Ch], F2AABDEDh 0x00000078 cmp ecx, dword ptr [ebp+0000017Ch] 0x0000007e jne 00007FDE10E4FFD4h 0x00000084 jmp 00007FDE10E500E2h 0x00000086 test ch, dh 0x00000088 mov dword ptr [ebp+00000274h], edi 0x0000008e mov edi, ecx 0x00000090 push edi 0x00000091 mov edi, dword ptr [ebp+00000274h] 0x00000097 call 00007FDE10E500F4h 0x0000009c call 00007FDE10E50108h 0x000000a1 lfence 0x000000a4 mov edx, 3126F457h 0x000000a9 xor edx, A11635D2h 0x000000af xor edx, 122A2AF9h 0x000000b5 xor edx, FDE4EB68h 0x000000bb mov edx, dword ptr [edx] 0x000000bd lfence 0x000000c0 ret 0x000000c1 mov esi, edx 0x000000c3 pushad 0x000000c4 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D73ED1 rdtsc 0_2_02D73ED1
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\7keerHhHvn.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D73ED1 rdtsc 0_2_02D73ED1
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D75EA3 mov eax, dword ptr fs:[00000030h] 0_2_02D75EA3
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D78C1A mov eax, dword ptr fs:[00000030h] 0_2_02D78C1A
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D73018 mov eax, dword ptr fs:[00000030h] 0_2_02D73018
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D73BF4 mov eax, dword ptr fs:[00000030h] 0_2_02D73BF4
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D79D9A mov eax, dword ptr fs:[00000030h] 0_2_02D79D9A
Source: C:\Users\user\Desktop\7keerHhHvn.exe Code function: 0_2_02D7915A mov eax, dword ptr fs:[00000030h] 0_2_02D7915A
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: 7keerHhHvn.exe, 00000000.00000002.761089547.0000000000D80000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: 7keerHhHvn.exe, 00000000.00000002.761089547.0000000000D80000.00000002.00000001.sdmp Binary or memory string: Progman
Source: 7keerHhHvn.exe, 00000000.00000002.761089547.0000000000D80000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: 7keerHhHvn.exe, 00000000.00000002.761089547.0000000000D80000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: 7keerHhHvn.exe, 00000000.00000002.761089547.0000000000D80000.00000002.00000001.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 458550 Sample: 7keerHhHvn.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 84 8 Found malware configuration 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected GuLoader 2->12 14 2 other signatures 2->14 5 7keerHhHvn.exe 2 2->5         started        process3 signatures4 16 Contains functionality to detect hardware virtualization (CPUID execution measurement) 5->16 18 Found potential dummy code loops (likely to delay analysis) 5->18 20 Tries to detect virtualization through RDTSC time measurements 5->20
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://onedrive.live.com/download?cid=6D6F7 false
    		high