Source: 00000001.00000002.777526639.0000000002210000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=10smU8Pga"} |
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Joe Sandbox ML: detected |
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://drive.google.com/uc?export=download&id=10smU8Pga |
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
String found in binary or memory: http://creativecommons.org/licenses/by-nc-sa/3.0/ |
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000001.00000002.775792747.000000000070A000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: initial sample |
Icon embedded in PE file: bad icon match: 20047c7c70f0e004 |
Source: initial sample |
Static PE information: Filename: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Static file information: Suspicious name |
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000001.00000000.250160600.000000000041E000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameDoorstep2.exe vs usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Binary or memory string: OriginalFilenameDoorstep2.exe vs usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_02216F8F |
1_2_02216F8F |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_02212AE6 |
1_2_02212AE6 |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_02212AD8 |
1_2_02212AD8 |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_0221279D |
1_2_0221279D |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_022127F0 |
1_2_022127F0 |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_02216FC8 |
1_2_02216FC8 |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_02217023 |
1_2_02217023 |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_02216C33 |
1_2_02216C33 |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_0221A848 |
1_2_0221A848 |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_02213C97 |
1_2_02213C97 |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_02213C9B |
1_2_02213C9B |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_022150F5 |
1_2_022150F5 |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_02213D33 |
1_2_02213D33 |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_02215100 |
1_2_02215100 |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_022151AB |
1_2_022151AB |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_022195AE |
1_2_022195AE |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_0221518E |
1_2_0221518E |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_02213DE8 |
1_2_02213DE8 |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_02216F8F NtAllocateVirtualMemory, |
1_2_02216F8F |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_02216FC8 NtAllocateVirtualMemory, |
1_2_02216FC8 |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_02217023 NtAllocateVirtualMemory, |
1_2_02217023 |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_022170A6 NtAllocateVirtualMemory, |
1_2_022170A6 |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_022170DB NtAllocateVirtualMemory, |
1_2_022170DB |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Process Stats: CPU usage > 98% |
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: classification engine |
Classification label: mal84.rans.troj.evad.winEXE@1/0@0/0 |
Source: Yara match |
File source: 00000001.00000002.777526639.0000000002210000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_00417BB0 push dword ptr [edi+000000BCh]; ret |
1_2_004185BC |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_00406E76 push 31716A05h; retf |
1_2_00406E7B |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_00405A07 push ebx; iretd |
1_2_00405A09 |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_00404430 pushfd ; retf |
1_2_00404432 |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_004064DA push esi; ret |
1_2_004064E5 |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_0040708F push ebx; iretd |
1_2_00407091 |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_004052A7 push ebx; iretd |
1_2_004052A9 |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_00404F7C push es; iretd |
1_2_00404F7D |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_00405F08 push es; iretd |
1_2_00405F09 |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_0040392D push esi; ret |
1_2_00403934 |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_004063CF push ebx; iretd |
1_2_004063D1 |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_00406FD7 push ebx; iretd |
1_2_00406FD9 |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_004039AE push ds; iretd |
1_2_004039DF |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_004069B4 push es; iretd |
1_2_004069B5 |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_022106C4 push ecx; retf |
1_2_022106C5 |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_02216B90 push 84000039h; ret |
1_2_02216B95 |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_02213921 push esi; retf |
1_2_02213922 |
Source: initial sample |
Static PE information: section name: .text entropy: 7.12774451895 |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_02219CE4 rdtsc |
1_2_02219CE4 |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_02216AA7 mov eax, dword ptr fs:[00000030h] |
1_2_02216AA7 |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_02219781 mov eax, dword ptr fs:[00000030h] |
1_2_02219781 |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_02214390 mov eax, dword ptr fs:[00000030h] |
1_2_02214390 |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_02219069 mov eax, dword ptr fs:[00000030h] |
1_2_02219069 |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_0221A848 mov eax, dword ptr fs:[00000030h] |
1_2_0221A848 |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_02213C97 mov eax, dword ptr fs:[00000030h] |
1_2_02213C97 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe |
Code function: 1_2_02219CE4 rdtsc |
1_2_02219CE4 |
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000001.00000002.776406971.0000000000C90000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000001.00000002.776406971.0000000000C90000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000001.00000002.776406971.0000000000C90000.00000002.00020000.sdmp |
Binary or memory string: SProgram Managerl |
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000001.00000002.776406971.0000000000C90000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd, |
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000001.00000002.776406971.0000000000C90000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |