Source: 00000001.00000002.730158990.0000000000740000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_fkWglQyCXO188.binkw"} |
Source: pRcHGlVekw.exe |
Virustotal: Detection: 31% |
Perma Link |
Source: pRcHGlVekw.exe |
ReversingLabs: Detection: 17% |
Source: pRcHGlVekw.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: http://101.99.94.119/WEALTH_fkWglQyCXO188.binkw |
Source: pRcHGlVekw.exe, 00000001.00000002.730373505.000000000076A000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_007459EA NtAllocateVirtualMemory, |
1_2_007459EA |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_00745A22 NtAllocateVirtualMemory, |
1_2_00745A22 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_00742A67 |
1_2_00742A67 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_00748053 |
1_2_00748053 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_00742021 |
1_2_00742021 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_00743A2B |
1_2_00743A2B |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_00748817 |
1_2_00748817 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_007486D9 |
1_2_007486D9 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_00747C9A |
1_2_00747C9A |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_00748960 |
1_2_00748960 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_00741557 |
1_2_00741557 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_00743944 |
1_2_00743944 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_00742B4B |
1_2_00742B4B |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_0074392D |
1_2_0074392D |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_00744111 |
1_2_00744111 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_00743B1F |
1_2_00743B1F |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_007497F3 |
1_2_007497F3 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_007479D6 |
1_2_007479D6 |
Source: pRcHGlVekw.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: pRcHGlVekw.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: pRcHGlVekw.exe, 00000001.00000002.729344916.0000000000417000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameLIEGEMAN.exe vs pRcHGlVekw.exe |
Source: pRcHGlVekw.exe, 00000001.00000002.730002789.00000000005E0000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs pRcHGlVekw.exe |
Source: pRcHGlVekw.exe |
Binary or memory string: OriginalFilenameLIEGEMAN.exe vs pRcHGlVekw.exe |
Source: pRcHGlVekw.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal80.troj.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
File created: C:\Users\user\AppData\Local\Temp\~DF33F62ECDF925AC8A.TMP |
Jump to behavior |
Source: pRcHGlVekw.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: pRcHGlVekw.exe |
Virustotal: Detection: 31% |
Source: pRcHGlVekw.exe |
ReversingLabs: Detection: 17% |
Source: Yara match |
File source: 00000001.00000002.730158990.0000000000740000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_00407108 push ebp; retf |
1_2_00407109 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_00749E74 pushfd ; iretd |
1_2_00749EE0 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_0074A037 push ds; retf |
1_2_0074A03A |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_0074A033 push ds; retf |
1_2_0074A036 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_0074A027 push ds; retf |
1_2_0074A02A |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_0074A02F push ds; retf |
1_2_0074A032 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_0074A02B push ds; retf |
1_2_0074A02E |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_00748013 pushfd ; iretd |
1_2_00749EE0 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_007462B4 push edi; ret |
1_2_007462B6 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_007473D8 pushfd ; iretd |
1_2_00749EE0 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_0074979D push edx; iretd |
1_2_007497A3 |
Source: initial sample |
Static PE information: section name: .text entropy: 7.08042704515 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
RDTSC instruction interceptor: First address: 0000000000747EBB second address: 0000000000747EBB instructions: 0x00000000 rdtsc 0x00000002 mov eax, 01B6460Dh 0x00000007 xor eax, BEFED3B1h 0x0000000c sub eax, 17554910h 0x00000011 add eax, 580CB355h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F29B0A819F0h 0x0000001e lfence 0x00000021 mov edx, 1889B9A2h 0x00000026 xor edx, A7C3F6EDh 0x0000002c add edx, 20E9D255h 0x00000032 xor edx, 9FCA21B0h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d test dh, 0000006Eh 0x00000040 test cx, cx 0x00000043 cmp cx, dx 0x00000046 ret 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a test dh, ah 0x0000004c add edi, edx 0x0000004e dec dword ptr [ebp+000000F8h] 0x00000054 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000005b jne 00007F29B0A818EAh 0x0000005d call 00007F29B0A8194Dh 0x00000062 call 00007F29B0A81A11h 0x00000067 lfence 0x0000006a mov edx, 1889B9A2h 0x0000006f xor edx, A7C3F6EDh 0x00000075 add edx, 20E9D255h 0x0000007b xor edx, 9FCA21B0h 0x00000081 mov edx, dword ptr [edx] 0x00000083 lfence 0x00000086 test dh, 0000006Eh 0x00000089 test cx, cx 0x0000008c cmp cx, dx 0x0000008f ret 0x00000090 mov esi, edx 0x00000092 pushad 0x00000093 rdtsc |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_00747EB3 rdtsc |
1_2_00747EB3 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_00747EB3 rdtsc |
1_2_00747EB3 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_00748817 mov eax, dword ptr fs:[00000030h] |
1_2_00748817 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_00743944 mov eax, dword ptr fs:[00000030h] |
1_2_00743944 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_00747540 mov eax, dword ptr fs:[00000030h] |
1_2_00747540 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_0074392D mov eax, dword ptr fs:[00000030h] |
1_2_0074392D |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_007455ED mov eax, dword ptr fs:[00000030h] |
1_2_007455ED |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_00747BB8 mov eax, dword ptr fs:[00000030h] |
1_2_00747BB8 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: pRcHGlVekw.exe, 00000001.00000002.731079680.0000000000CF0000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: pRcHGlVekw.exe, 00000001.00000002.731079680.0000000000CF0000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: pRcHGlVekw.exe, 00000001.00000002.731079680.0000000000CF0000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: pRcHGlVekw.exe, 00000001.00000002.731079680.0000000000CF0000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |