Loading ...

Play interactive tourEdit tour

Windows Analysis Report NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh

Overview

General Information

Sample Name:NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh
Analysis ID:482886
MD5:b71a9e479123528ba6f7b8642b924d0e
SHA1:5aae421b9bc63d5982f5ef0e19abdfb85cb1688b
SHA256:1908c35415f99b55e81ea5dd70da0ebbd3e341cd4d2cf77a418c09235be590d5
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Queries the volume information (name, serial number etc) of a device
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • unarchiver.exe (PID: 3604 cmdline: 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh' MD5: DB55139D9DD29F24AE8EA8F0E5606901)
    • 7za.exe (PID: 3240 cmdline: 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh' MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
      • conhost.exe (PID: 5776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6264 cmdline: 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe (PID: 1380 cmdline: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe MD5: 21E13385E6C6A3BE5C2922D7D02F04D6)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://pantronus.com/bin_gcbZVug136."}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.933522387.0000000002A90000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000007.00000002.933522387.0000000002A90000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "http://pantronus.com/bin_gcbZVug136."}
    Multi AV Scanner detection for submitted fileShow sources
    Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzhVirustotal: Detection: 14%Perma Link
    Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzhReversingLabs: Detection: 39%
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeVirustotal: Detection: 33%Perma Link
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeMetadefender: Detection: 25%Perma Link
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeReversingLabs: Detection: 57%
    Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 02DA099Bh0_2_02DA02A8
    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 02DA099Ah0_2_02DA02A8

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: http://pantronus.com/bin_gcbZVug136.
    Source: unarchiver.exe, 00000000.00000002.932490318.00000000010DB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
    Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 0_2_02DA02A80_2_02DA02A8
    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 0_2_02DA02980_2_02DA0298
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9BAB07_2_02A9BAB0
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A962BF7_2_02A962BF
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A966B07_2_02A966B0
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9A2B07_2_02A9A2B0
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9C6B07_2_02A9C6B0
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02AA06B07_2_02AA06B0
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A992B77_2_02A992B7
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A926997_2_02A92699
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A96A9B7_2_02A96A9B
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9969B7_2_02A9969B
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9869E7_2_02A9869E
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A99E9E7_2_02A99E9E
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A93A907_2_02A93A90
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9BAE07_2_02A9BAE0
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A992F97_2_02A992F9
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A99ACB7_2_02A99ACB
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A936CC7_2_02A936CC
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A98EC07_2_02A98EC0
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A922C27_2_02A922C2
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A932C27_2_02A932C2
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A93AC77_2_02A93AC7
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A92ADC7_2_02A92ADC
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A986D07_2_02A986D0
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02AA3AD57_2_02AA3AD5
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A96A297_2_02A96A29
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9322B7_2_02A9322B
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A92A2C7_2_02A92A2C
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A926207_2_02A92620
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A99E227_2_02A99E22
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A966247_2_02A96624
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A996267_2_02A99626
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A966397_2_02A96639
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A962337_2_02A96233
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9A2357_2_02A9A235
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A992097_2_02A99209
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9C61C7_2_02A9C61C
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02AA1A7C7_2_02AA1A7C
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9BA717_2_02A9BA71
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9A2777_2_02A9A277
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A922487_2_02A92248
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A95A4E7_2_02A95A4E
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A92E5F7_2_02A92E5F
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A98E537_2_02A98E53
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A99A577_2_02A99A57
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A997A77_2_02A997A7
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9A3B97_2_02A9A3B9
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A99BBB7_2_02A99BBB
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A95BBA7_2_02A95BBA
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A98FBF7_2_02A98FBF
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A963B17_2_02A963B1
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A983B17_2_02A983B1
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A997B67_2_02A997B6
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A943897_2_02A94389
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A93B887_2_02A93B88
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9278F7_2_02A9278F
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A98F857_2_02A98F85
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A91F847_2_02A91F84
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A92B9B7_2_02A92B9B
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9339C7_2_02A9339C
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9139E7_2_02A9139E
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A943957_2_02A94395
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A923977_2_02A92397
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A993E97_2_02A993E9
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A93BE87_2_02A93BE8
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A937E77_2_02A937E7
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A913F97_2_02A913F9
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A927FF7_2_02A927FF
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A99FF07_2_02A99FF0
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A993F27_2_02A993F2
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A91FF47_2_02A91FF4
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A957F77_2_02A957F7
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02AA1FF57_2_02AA1FF5
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A95BC97_2_02A95BC9
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A95BCB7_2_02A95BCB
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A967C47_2_02A967C4
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9C3DD7_2_02A9C3DD
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A92B2A7_2_02A92B2A
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9232F7_2_02A9232F
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9C32F7_2_02A9C32F
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A933237_2_02A93323
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9673B7_2_02A9673B
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A98F307_2_02A98F30
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A937377_2_02A93737
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A92F0B7_2_02A92F0B
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A93B007_2_02A93B00
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A95B1D7_2_02A95B1D
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A927167_2_02A92716
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9576A7_2_02A9576A
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9C3617_2_02A9C361
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A91F627_2_02A91F62
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A99F7F7_2_02A99F7F
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A94F777_2_02A94F77
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9BB777_2_02A9BB77
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A963477_2_02A96347
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A993477_2_02A99347
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A99B587_2_02A99B58
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A95B5E7_2_02A95B5E
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A913547_2_02A91354
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A990AB7_2_02A990AB
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A934A07_2_02A934A0
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A920A77_2_02A920A7
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A99CB07_2_02A99CB0
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9149A7_2_02A9149A
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9949C7_2_02A9949C
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A92C907_2_02A92C90
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A964977_2_02A96497
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A968EB7_2_02A968EB
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9A4E17_2_02A9A4E1
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A93CE07_2_02A93CE0
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9A0E07_2_02A9A0E0
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A958E77_2_02A958E7
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A918E67_2_02A918E6
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A934FE7_2_02A934FE
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A998F17_2_02A998F1
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A920F77_2_02A920F7
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9C4CB7_2_02A9C4CB
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02AA10C97_2_02AA10C9
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A988CD7_2_02A988CD
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9B4C37_2_02A9B4C3
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A998C27_2_02A998C2
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A928DB7_2_02A928DB
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9BAB0 NtAllocateVirtualMemory,7_2_02A9BAB0
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9BAE0 NtAllocateVirtualMemory,7_2_02A9BAE0
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9BA71 NtAllocateVirtualMemory,7_2_02A9BA71
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9BBB5 NtAllocateVirtualMemory,7_2_02A9BBB5
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9BB77 NtAllocateVirtualMemory,7_2_02A9BB77
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9BC9E NtAllocateVirtualMemory,7_2_02A9BC9E
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeProcess Stats: CPU usage > 98%
    Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzhVirustotal: Detection: 14%
    Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzhReversingLabs: Detection: 39%
    Source: C:\Windows\SysWOW64\unarchiver.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: unknownProcess created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh'
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh'
    Source: C:\Windows\SysWOW64\7za.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe'
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh'Jump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe'Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4500:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5776:120:WilError_01
    Source: C:\Windows\SysWOW64\unarchiver.exeFile created: C:\Users\user\AppData\Local\Temp\rwew4jnu.3k5Jump to behavior
    Source: classification engineClassification label: mal76.troj.winLZH@9/2@0/0
    Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000007.00000002.933522387.0000000002A90000.00000040.00000001.sdmp, type: MEMORY
    Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe.1.drStatic PE information: real checksum: 0x7fdeb should be: 0x7afb2
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_00402214 push 984418D8h; retf 7_2_00402756
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_00403A35 push ss; ret 7_2_00403A43
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_004088C8 push esp; ret 7_2_004088CB
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_0040B6B0 push esi; ret 7_2_0040B6B2
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_00407D74 pushfd ; iretd 7_2_00407D92
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_0040B574 push esi; ret 7_2_0040B576
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_00402577 push 984418D8h; retf 7_2_00402756
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_00405320 push edi; ret 7_2_00405323
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_00409D2E pushfd ; ret 7_2_00409D3F
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_004083E2 push edx; ret 7_2_004084C3
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_004089E9 push 2422A595h; retf 7_2_00408CBE
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_00404B9D push ebp; ret 7_2_00404B9F
    Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeJump to dropped file
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5444Thread sleep count: 231 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5444Thread sleep time: -115500s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\unarchiver.exeLast function: Thread delayed
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeAPI coverage: 1.2 %
    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 0_2_0133B042 GetSystemInfo,0_2_0133B042
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9B21F mov eax, dword ptr fs:[00000030h]7_2_02A9B21F
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9F7B8 mov eax, dword ptr fs:[00000030h]7_2_02A9F7B8
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02AA03EC mov eax, dword ptr fs:[00000030h]7_2_02AA03EC
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02AA1FF5 mov eax, dword ptr fs:[00000030h]7_2_02AA1FF5
    Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: page read and write | page guardJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh'Jump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe'Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeJump to behavior
    Source: unarchiver.exe, 00000000.00000002.933056918.00000000017D0000.00000002.00020000.sdmp, NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe, 00000007.00000002.932934114.0000000000CA0000.00000002.00020000.sdmpBinary or memory string: Program Manager
    Source: unarchiver.exe, 00000000.00000002.933056918.00000000017D0000.00000002.00020000.sdmp, NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe, 00000007.00000002.932934114.0000000000CA0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: unarchiver.exe, 00000000.00000002.933056918.00000000017D0000.00000002.00020000.sdmp, NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe, 00000007.00000002.932934114.0000000000CA0000.00000002.00020000.sdmpBinary or memory string: Progman
    Source: unarchiver.exe, 00000000.00000002.933056918.00000000017D0000.00000002.00020000.sdmp, NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe, 00000007.00000002.932934114.0000000000CA0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
    Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Virtualization/Sandbox Evasion1Input Capture1Security Software Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSSystem Information Discovery13Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 482886 Sample: NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh Startdate: 14/09/2021 Architecture: WINDOWS Score: 76 23 Found malware configuration 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 Yara detected GuLoader 2->27 29 C2 URLs / IPs found in malware configuration 2->29 7 unarchiver.exe 5 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 7za.exe 2 7->11         started        file5 14 NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe 1 9->14         started        17 conhost.exe 9->17         started        21 C:\Users\...21OA_-_CMA_CGM_ARRIVAL_NOTICE.exe, PE32 11->21 dropped 19 conhost.exe 11->19         started        process6 signatures7 31 Multi AV Scanner detection for dropped file 14->31

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.