Windows Analysis Report NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh

Overview

General Information

Sample Name: NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh
Analysis ID: 482886
MD5: b71a9e479123528ba6f7b8642b924d0e
SHA1: 5aae421b9bc63d5982f5ef0e19abdfb85cb1688b
SHA256: 1908c35415f99b55e81ea5dd70da0ebbd3e341cd4d2cf77a418c09235be590d5
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Queries the volume information (name, serial number etc) of a device
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000007.00000002.933522387.0000000002A90000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "http://pantronus.com/bin_gcbZVug136."}
Multi AV Scanner detection for submitted file
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh Virustotal: Detection: 14% Perma Link
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh ReversingLabs: Detection: 39%
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Virustotal: Detection: 33% Perma Link
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Metadefender: Detection: 25% Perma Link
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe ReversingLabs: Detection: 57%
Source: C:\Windows\SysWOW64\unarchiver.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 4x nop then jmp 02DA099Bh 0_2_02DA02A8
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 4x nop then jmp 02DA099Ah 0_2_02DA02A8

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://pantronus.com/bin_gcbZVug136.

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: unarchiver.exe, 00000000.00000002.932490318.00000000010DB000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
PE file contains strange resources
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 0_2_02DA02A8 0_2_02DA02A8
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 0_2_02DA0298 0_2_02DA0298
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9BAB0 7_2_02A9BAB0
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A962BF 7_2_02A962BF
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A966B0 7_2_02A966B0
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9A2B0 7_2_02A9A2B0
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9C6B0 7_2_02A9C6B0
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02AA06B0 7_2_02AA06B0
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A992B7 7_2_02A992B7
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A92699 7_2_02A92699
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A96A9B 7_2_02A96A9B
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9969B 7_2_02A9969B
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9869E 7_2_02A9869E
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A99E9E 7_2_02A99E9E
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A93A90 7_2_02A93A90
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9BAE0 7_2_02A9BAE0
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A992F9 7_2_02A992F9
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A99ACB 7_2_02A99ACB
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A936CC 7_2_02A936CC
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A98EC0 7_2_02A98EC0
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A922C2 7_2_02A922C2
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A932C2 7_2_02A932C2
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A93AC7 7_2_02A93AC7
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A92ADC 7_2_02A92ADC
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A986D0 7_2_02A986D0
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02AA3AD5 7_2_02AA3AD5
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A96A29 7_2_02A96A29
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9322B 7_2_02A9322B
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A92A2C 7_2_02A92A2C
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A92620 7_2_02A92620
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A99E22 7_2_02A99E22
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A96624 7_2_02A96624
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A99626 7_2_02A99626
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A96639 7_2_02A96639
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A96233 7_2_02A96233
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9A235 7_2_02A9A235
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A99209 7_2_02A99209
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9C61C 7_2_02A9C61C
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02AA1A7C 7_2_02AA1A7C
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9BA71 7_2_02A9BA71
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9A277 7_2_02A9A277
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A92248 7_2_02A92248
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A95A4E 7_2_02A95A4E
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A92E5F 7_2_02A92E5F
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A98E53 7_2_02A98E53
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A99A57 7_2_02A99A57
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A997A7 7_2_02A997A7
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9A3B9 7_2_02A9A3B9
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A99BBB 7_2_02A99BBB
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A95BBA 7_2_02A95BBA
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A98FBF 7_2_02A98FBF
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A963B1 7_2_02A963B1
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A983B1 7_2_02A983B1
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A997B6 7_2_02A997B6
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A94389 7_2_02A94389
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A93B88 7_2_02A93B88
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9278F 7_2_02A9278F
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A98F85 7_2_02A98F85
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A91F84 7_2_02A91F84
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A92B9B 7_2_02A92B9B
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9339C 7_2_02A9339C
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9139E 7_2_02A9139E
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A94395 7_2_02A94395
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A92397 7_2_02A92397
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A993E9 7_2_02A993E9
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A93BE8 7_2_02A93BE8
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A937E7 7_2_02A937E7
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A913F9 7_2_02A913F9
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A927FF 7_2_02A927FF
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A99FF0 7_2_02A99FF0
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A993F2 7_2_02A993F2
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A91FF4 7_2_02A91FF4
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A957F7 7_2_02A957F7
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02AA1FF5 7_2_02AA1FF5
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A95BC9 7_2_02A95BC9
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A95BCB 7_2_02A95BCB
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A967C4 7_2_02A967C4
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9C3DD 7_2_02A9C3DD
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A92B2A 7_2_02A92B2A
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9232F 7_2_02A9232F
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9C32F 7_2_02A9C32F
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A93323 7_2_02A93323
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9673B 7_2_02A9673B
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A98F30 7_2_02A98F30
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A93737 7_2_02A93737
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A92F0B 7_2_02A92F0B
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A93B00 7_2_02A93B00
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A95B1D 7_2_02A95B1D
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A92716 7_2_02A92716
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9576A 7_2_02A9576A
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9C361 7_2_02A9C361
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A91F62 7_2_02A91F62
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A99F7F 7_2_02A99F7F
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A94F77 7_2_02A94F77
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9BB77 7_2_02A9BB77
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A96347 7_2_02A96347
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A99347 7_2_02A99347
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A99B58 7_2_02A99B58
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A95B5E 7_2_02A95B5E
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A91354 7_2_02A91354
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A990AB 7_2_02A990AB
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A934A0 7_2_02A934A0
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A920A7 7_2_02A920A7
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A99CB0 7_2_02A99CB0
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9149A 7_2_02A9149A
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9949C 7_2_02A9949C
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A92C90 7_2_02A92C90
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A96497 7_2_02A96497
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A968EB 7_2_02A968EB
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9A4E1 7_2_02A9A4E1
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A93CE0 7_2_02A93CE0
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9A0E0 7_2_02A9A0E0
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A958E7 7_2_02A958E7
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A918E6 7_2_02A918E6
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A934FE 7_2_02A934FE
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A998F1 7_2_02A998F1
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A920F7 7_2_02A920F7
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9C4CB 7_2_02A9C4CB
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02AA10C9 7_2_02AA10C9
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A988CD 7_2_02A988CD
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9B4C3 7_2_02A9B4C3
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A998C2 7_2_02A998C2
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A928DB 7_2_02A928DB
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9BAB0 NtAllocateVirtualMemory, 7_2_02A9BAB0
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9BAE0 NtAllocateVirtualMemory, 7_2_02A9BAE0
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9BA71 NtAllocateVirtualMemory, 7_2_02A9BA71
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9BBB5 NtAllocateVirtualMemory, 7_2_02A9BBB5
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9BB77 NtAllocateVirtualMemory, 7_2_02A9BB77
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9BC9E NtAllocateVirtualMemory, 7_2_02A9BC9E
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Process Stats: CPU usage > 98%
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh Virustotal: Detection: 14%
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh ReversingLabs: Detection: 39%
Source: C:\Windows\SysWOW64\unarchiver.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh'
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh'
Source: C:\Windows\SysWOW64\7za.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh' Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4500:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5776:120:WilError_01
Source: C:\Windows\SysWOW64\unarchiver.exe File created: C:\Users\user\AppData\Local\Temp\rwew4jnu.3k5 Jump to behavior
Source: classification engine Classification label: mal76.troj.winLZH@9/2@0/0
Source: C:\Windows\SysWOW64\unarchiver.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000007.00000002.933522387.0000000002A90000.00000040.00000001.sdmp, type: MEMORY
PE file contains an invalid checksum
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe.1.dr Static PE information: real checksum: 0x7fdeb should be: 0x7afb2
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_00402214 push 984418D8h; retf 7_2_00402756
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_00403A35 push ss; ret 7_2_00403A43
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_004088C8 push esp; ret 7_2_004088CB
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_0040B6B0 push esi; ret 7_2_0040B6B2
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_00407D74 pushfd ; iretd 7_2_00407D92
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_0040B574 push esi; ret 7_2_0040B576
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_00402577 push 984418D8h; retf 7_2_00402756
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_00405320 push edi; ret 7_2_00405323
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_00409D2E pushfd ; ret 7_2_00409D3F
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_004083E2 push edx; ret 7_2_004084C3
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_004089E9 push 2422A595h; retf 7_2_00408CBE
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_00404B9D push ebp; ret 7_2_00404B9F

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Jump to dropped file
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5444 Thread sleep count: 231 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5444 Thread sleep time: -115500s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\unarchiver.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\unarchiver.exe Last function: Thread delayed
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe API coverage: 1.2 %
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 0_2_0133B042 GetSystemInfo, 0_2_0133B042

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9B21F mov eax, dword ptr fs:[00000030h] 7_2_02A9B21F
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02A9F7B8 mov eax, dword ptr fs:[00000030h] 7_2_02A9F7B8
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02AA03EC mov eax, dword ptr fs:[00000030h] 7_2_02AA03EC
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Code function: 7_2_02AA1FF5 mov eax, dword ptr fs:[00000030h] 7_2_02AA1FF5
Source: C:\Windows\SysWOW64\unarchiver.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh' Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Jump to behavior
Source: unarchiver.exe, 00000000.00000002.933056918.00000000017D0000.00000002.00020000.sdmp, NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe, 00000007.00000002.932934114.0000000000CA0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: unarchiver.exe, 00000000.00000002.933056918.00000000017D0000.00000002.00020000.sdmp, NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe, 00000007.00000002.932934114.0000000000CA0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: unarchiver.exe, 00000000.00000002.933056918.00000000017D0000.00000002.00020000.sdmp, NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe, 00000007.00000002.932934114.0000000000CA0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: unarchiver.exe, 00000000.00000002.933056918.00000000017D0000.00000002.00020000.sdmp, NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe, 00000007.00000002.932934114.0000000000CA0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
No contacted IP infos