Loading ...

Play interactive tourEdit tour

Windows Analysis Report NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh

Overview

General Information

Sample Name:NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh
Analysis ID:482886
MD5:b71a9e479123528ba6f7b8642b924d0e
SHA1:5aae421b9bc63d5982f5ef0e19abdfb85cb1688b
SHA256:1908c35415f99b55e81ea5dd70da0ebbd3e341cd4d2cf77a418c09235be590d5
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Queries the volume information (name, serial number etc) of a device
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • unarchiver.exe (PID: 3604 cmdline: 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh' MD5: DB55139D9DD29F24AE8EA8F0E5606901)
    • 7za.exe (PID: 3240 cmdline: 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh' MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
      • conhost.exe (PID: 5776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6264 cmdline: 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe (PID: 1380 cmdline: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe MD5: 21E13385E6C6A3BE5C2922D7D02F04D6)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://pantronus.com/bin_gcbZVug136."}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.933522387.0000000002A90000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000007.00000002.933522387.0000000002A90000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "http://pantronus.com/bin_gcbZVug136."}
    Multi AV Scanner detection for submitted fileShow sources
    Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzhVirustotal: Detection: 14%Perma Link
    Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzhReversingLabs: Detection: 39%
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeVirustotal: Detection: 33%Perma Link
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeMetadefender: Detection: 25%Perma Link
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeReversingLabs: Detection: 57%
    Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 02DA099Bh
    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 02DA099Ah

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: http://pantronus.com/bin_gcbZVug136.
    Source: unarchiver.exe, 00000000.00000002.932490318.00000000010DB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
    Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 0_2_02DA02A8
    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 0_2_02DA0298
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9BAB0
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A962BF
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A966B0
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9A2B0
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9C6B0
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02AA06B0
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A992B7
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A92699
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A96A9B
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9969B
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9869E
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A99E9E
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A93A90
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9BAE0
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A992F9
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A99ACB
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A936CC
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A98EC0
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A922C2
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A932C2
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A93AC7
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A92ADC
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A986D0
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02AA3AD5
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A96A29
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9322B
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A92A2C
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A92620
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A99E22
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A96624
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A99626
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A96639
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A96233
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9A235
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A99209
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9C61C
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02AA1A7C
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9BA71
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9A277
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A92248
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A95A4E
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A92E5F
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A98E53
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A99A57
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A997A7
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9A3B9
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A99BBB
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A95BBA
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A98FBF
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A963B1
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A983B1
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A997B6
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A94389
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A93B88
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9278F
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A98F85
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A91F84
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A92B9B
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9339C
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9139E
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A94395
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A92397
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A993E9
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A93BE8
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A937E7
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A913F9
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A927FF
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A99FF0
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A993F2
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A91FF4
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A957F7
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02AA1FF5
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A95BC9
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A95BCB
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A967C4
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9C3DD
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A92B2A
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9232F
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9C32F
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A93323
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9673B
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A98F30
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A93737
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A92F0B
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A93B00
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A95B1D
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A92716
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9576A
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9C361
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A91F62
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A99F7F
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A94F77
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9BB77
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A96347
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A99347
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A99B58
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A95B5E
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A91354
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A990AB
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A934A0
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A920A7
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A99CB0
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9149A
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9949C
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A92C90
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A96497
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A968EB
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9A4E1
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A93CE0
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9A0E0
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A958E7
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A918E6
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A934FE
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A998F1
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A920F7
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9C4CB
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02AA10C9
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A988CD
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9B4C3
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A998C2
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A928DB
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9BAB0 NtAllocateVirtualMemory,
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9BAE0 NtAllocateVirtualMemory,
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9BA71 NtAllocateVirtualMemory,
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9BBB5 NtAllocateVirtualMemory,
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9BB77 NtAllocateVirtualMemory,
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9BC9E NtAllocateVirtualMemory,
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeProcess Stats: CPU usage > 98%
    Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzhVirustotal: Detection: 14%
    Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzhReversingLabs: Detection: 39%
    Source: C:\Windows\SysWOW64\unarchiver.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
    Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
    Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
    Source: unknownProcess created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh'
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh'
    Source: C:\Windows\SysWOW64\7za.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe'
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh'
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe'
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4500:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5776:120:WilError_01
    Source: C:\Windows\SysWOW64\unarchiver.exeFile created: C:\Users\user\AppData\Local\Temp\rwew4jnu.3k5Jump to behavior
    Source: classification engineClassification label: mal76.troj.winLZH@9/2@0/0
    Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000007.00000002.933522387.0000000002A90000.00000040.00000001.sdmp, type: MEMORY
    Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe.1.drStatic PE information: real checksum: 0x7fdeb should be: 0x7afb2
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_00402214 push 984418D8h; retf
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_00403A35 push ss; ret
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_004088C8 push esp; ret
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_0040B6B0 push esi; ret
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_00407D74 pushfd ; iretd
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_0040B574 push esi; ret
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_00402577 push 984418D8h; retf
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_00405320 push edi; ret
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_00409D2E pushfd ; ret
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_004083E2 push edx; ret
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_004089E9 push 2422A595h; retf
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_00404B9D push ebp; ret
    Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeJump to dropped file
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5444Thread sleep count: 231 > 30
    Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5444Thread sleep time: -115500s >= -30000s
    Source: C:\Windows\SysWOW64\unarchiver.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\unarchiver.exeLast function: Thread delayed
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeAPI coverage: 1.2 %
    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 0_2_0133B042 GetSystemInfo,
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9B21F mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02A9F7B8 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02AA03EC mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeCode function: 7_2_02AA1FF5 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: page read and write | page guard
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh'
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe'
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe
    Source: unarchiver.exe, 00000000.00000002.933056918.00000000017D0000.00000002.00020000.sdmp, NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe, 00000007.00000002.932934114.0000000000CA0000.00000002.00020000.sdmpBinary or memory string: Program Manager
    Source: unarchiver.exe, 00000000.00000002.933056918.00000000017D0000.00000002.00020000.sdmp, NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe, 00000007.00000002.932934114.0000000000CA0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: unarchiver.exe, 00000000.00000002.933056918.00000000017D0000.00000002.00020000.sdmp, NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe, 00000007.00000002.932934114.0000000000CA0000.00000002.00020000.sdmpBinary or memory string: Progman
    Source: unarchiver.exe, 00000000.00000002.933056918.00000000017D0000.00000002.00020000.sdmp, NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe, 00000007.00000002.932934114.0000000000CA0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
    Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\unarchiver.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Virtualization/Sandbox Evasion1Input Capture1Security Software Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSSystem Information Discovery13Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 482886 Sample: NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh Startdate: 14/09/2021 Architecture: WINDOWS Score: 76 23 Found malware configuration 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 Yara detected GuLoader 2->27 29 C2 URLs / IPs found in malware configuration 2->29 7 unarchiver.exe 5 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 7za.exe 2 7->11         started        file5 14 NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe 1 9->14         started        17 conhost.exe 9->17         started        21 C:\Users\...21OA_-_CMA_CGM_ARRIVAL_NOTICE.exe, PE32 11->21 dropped 19 conhost.exe 11->19         started        process6 signatures7 31 Multi AV Scanner detection for dropped file 14->31

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh14%VirustotalBrowse
    NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh40%ReversingLabsWin32.Backdoor.Androm

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe34%VirustotalBrowse
    C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe29%MetadefenderBrowse
    C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe58%ReversingLabsWin32.Backdoor.Androm

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://pantronus.com/bin_gcbZVug136.0%VirustotalBrowse
    http://pantronus.com/bin_gcbZVug136.0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://pantronus.com/bin_gcbZVug136.true
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    unknown

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:33.0.0 White Diamond
    Analysis ID:482886
    Start date:14.09.2021
    Start time:09:42:43
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 7m 2s
    Hypervisor based Inspection enabled:false
    Report type:light
    Sample file name:NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:20
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal76.troj.winLZH@9/2@0/0
    EGA Information:
    • Successful, ratio: 100%
    HDC Information:
    • Successful, ratio: 39% (good quality ratio 25%)
    • Quality average: 34.6%
    • Quality standard deviation: 33%
    HCA Information:
    • Successful, ratio: 95%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .lzh
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
    • Not all processes where analyzed, report is missing behavior information

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe
    Process:C:\Windows\SysWOW64\7za.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):471040
    Entropy (8bit):4.253459931665977
    Encrypted:false
    SSDEEP:6144:YMDKzMGGdOxLwdffBfwfBfB6rtHGGGGGgGGGGGGGGGGGGGGGSGGGLGGGGGGGGGGg:YjTOlpltB
    MD5:21E13385E6C6A3BE5C2922D7D02F04D6
    SHA1:A4CC3FB3CDDC95E8C2BF353205DD540220EC0576
    SHA-256:F0C28EABB44D97B7C5F6906B3862A358B3F91245E2AEF683C371C31C54560AD3
    SHA-512:207143B24E50BC5CCA8DBCA5C8FD90F3D41A1A7BFDAF4EF5FF102141462FCD69588D5A3614CF8CCB1594763A69180387F2B0C12E6CBB30FB0D041A58048A8A4F
    Malicious:true
    Antivirus:
    • Antivirus: Virustotal, Detection: 34%, Browse
    • Antivirus: Metadefender, Detection: 29%, Browse
    • Antivirus: ReversingLabs, Detection: 58%
    Reputation:low
    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6..W..W..W..K..W..u..W..q..W.Rich.W.........................PE..L....C.O.................`..........H........p....@..........................@..............................................._..(.......n...................................................................8... .......4............................text...HT.......`.................. ..`.data........p.......p..............@....rsrc...n...........................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................
    C:\Users\user\AppData\Local\Temp\rwew4jnu.3k5\unarchiver.log
    Process:C:\Windows\SysWOW64\unarchiver.exe
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):1508
    Entropy (8bit):5.290897978868285
    Encrypted:false
    SSDEEP:24:C1zGXDJ3frIiJRJIiJjWILIiJRJIiJUwZIiJfsdIiJRJIiJFTAzGXDJIiJbNIiJ1:1X58GcGbcGcGpiGUmGcGpVXuGb2GuXuh
    MD5:50386A038F345FB33F443D9AF8DB64C3
    SHA1:C27E86C40C7A37A8E092CBF703286DE3A12DDD45
    SHA-256:C00ABC679A6E8C72E409C4958A8F814CDF75573600B52C0CA9A548CC2651BADF
    SHA-512:15BBF1BB693AFA2CA6A96C225361E18B39882D325B002E65666F9C914C47C683E764E68ACD8286C22B51654463703A1019D36325005663FB9379B0C9E42D73A9
    Malicious:false
    Reputation:low
    Preview: 09/14/2021 9:43 AM: Unpack: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh..09/14/2021 9:43 AM: Tmp dir: C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk..09/14/2021 9:43 AM: Received from standard out: ..09/14/2021 9:43 AM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..09/14/2021 9:43 AM: Received from standard out: ..09/14/2021 9:43 AM: Received from standard out: Scanning the drive for archives:..09/14/2021 9:43 AM: Received from standard out: 1 file, 107136 bytes (105 KiB)..09/14/2021 9:43 AM: Received from standard out: ..09/14/2021 9:43 AM: Received from standard out: Extracting archive: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh..09/14/2021 9:43 AM: Received from standard out: --..09/14/2021 9:43 AM: Received from standard out: Path = C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh..09/14/2021 9:43 AM: Received from standard out: Type = Lzh..09/14/2021 9:43 AM: Received from standard out: Physical Si

    Static File Info

    General

    File type: LHa (2.x) archive data [lh5], with "NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe"
    Entropy (8bit):7.983327494950816
    TrID:
    • LHARC/LZARK compressed archive (6/4) 100.00%
    File name:NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh
    File size:107136
    MD5:b71a9e479123528ba6f7b8642b924d0e
    SHA1:5aae421b9bc63d5982f5ef0e19abdfb85cb1688b
    SHA256:1908c35415f99b55e81ea5dd70da0ebbd3e341cd4d2cf77a418c09235be590d5
    SHA512:ba6f16107c9a944ca2c62b419ff29933caad97650f4482102f92c364d95d52282710a2882723785373035e79828e56f98aee69f0f280b81c9cecbe103e7dbcde
    SSDEEP:3072:dVlHrjorhU1+isBSk4x1DdS3sdP2hxhBpimq:9r8U+94x1Z2s1qxPY
    File Content Preview:6.-lh5-H....0....-S . NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe..^.........]..x........2.Z....R..Z*T..R....f.......P..2j.IEU..HQU$........}........=.....y...{..|.'.;.....@....#m.3<E......=.....5...e..|..k..U....x.N...%..i..B..AC.5c@i ..".......6..c...j. t.........

    File Icon

    Icon Hash:00828e8e8686b000

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    Behavior

    Click to jump to process

    System Behavior

    General

    Start time:09:43:43
    Start date:14/09/2021
    Path:C:\Windows\SysWOW64\unarchiver.exe
    Wow64 process (32bit):true
    Commandline:'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh'
    Imagebase:0xa40000
    File size:10240 bytes
    MD5 hash:DB55139D9DD29F24AE8EA8F0E5606901
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:.Net C# or VB.NET
    Reputation:moderate

    General

    Start time:09:43:44
    Start date:14/09/2021
    Path:C:\Windows\SysWOW64\7za.exe
    Wow64 process (32bit):true
    Commandline:'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh'
    Imagebase:0x840000
    File size:289792 bytes
    MD5 hash:77E556CDFDC5C592F5C46DB4127C6F4C
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Start time:09:43:45
    Start date:14/09/2021
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff724c50000
    File size:625664 bytes
    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Start time:09:43:46
    Start date:14/09/2021
    Path:C:\Windows\SysWOW64\cmd.exe
    Wow64 process (32bit):true
    Commandline:'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe'
    Imagebase:0x11d0000
    File size:232960 bytes
    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Start time:09:43:47
    Start date:14/09/2021
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff724c50000
    File size:625664 bytes
    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Start time:09:43:47
    Start date:14/09/2021
    Path:C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe
    Wow64 process (32bit):true
    Commandline:C:\Users\user\AppData\Local\Temp\rcnbbfid.mtk\NOA_-_CMA_CGM_ARRIVAL_NOTICE.exe
    Imagebase:0x400000
    File size:471040 bytes
    MD5 hash:21E13385E6C6A3BE5C2922D7D02F04D6
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Visual Basic
    Yara matches:
    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000007.00000002.933522387.0000000002A90000.00000040.00000001.sdmp, Author: Joe Security
    Antivirus matches:
    • Detection: 34%, Virustotal, Browse
    • Detection: 29%, Metadefender, Browse
    • Detection: 58%, ReversingLabs
    Reputation:low

    Disassembly

    Code Analysis

    Reset < >