Source: 00000000.00000002.856631658.0000000002260000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1rXtK"} |
Source: BESTPREIS-ANFRAGE.exe |
ReversingLabs: Detection: 28% |
Source: BESTPREIS-ANFRAGE.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://drive.google.com/uc?export=download&id=1rXtK |
Source: BESTPREIS-ANFRAGE.exe, 00000000.00000002.856430845.000000000074A000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: BESTPREIS-ANFRAGE.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: BESTPREIS-ANFRAGE.exe, 00000000.00000002.856347893.0000000000416000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameVENALIZE.exe vs BESTPREIS-ANFRAGE.exe |
Source: BESTPREIS-ANFRAGE.exe |
Binary or memory string: OriginalFilenameVENALIZE.exe vs BESTPREIS-ANFRAGE.exe |
Source: BESTPREIS-ANFRAGE.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Code function: 0_2_0226C61F |
0_2_0226C61F |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Code function: 0_2_02266672 |
0_2_02266672 |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Code function: 0_2_02260775 |
0_2_02260775 |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Code function: 0_2_022677B2 |
0_2_022677B2 |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Code function: 0_2_022657B0 |
0_2_022657B0 |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Code function: 0_2_02260780 |
0_2_02260780 |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Code function: 0_2_0226544D |
0_2_0226544D |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Code function: 0_2_0226557A |
0_2_0226557A |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Code function: 0_2_022665A3 |
0_2_022665A3 |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Code function: 0_2_02267B4F NtAllocateVirtualMemory, |
0_2_02267B4F |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Code function: 0_2_02267C4A NtAllocateVirtualMemory, |
0_2_02267C4A |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Process Stats: CPU usage > 98% |
Source: BESTPREIS-ANFRAGE.exe |
ReversingLabs: Detection: 28% |
Source: BESTPREIS-ANFRAGE.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
File created: C:\Users\user\AppData\Local\Temp\~DFEC32C876104529D6.TMP |
Jump to behavior |
Source: classification engine |
Classification label: mal76.troj.evad.winEXE@1/0@0/0 |
Source: Yara match |
File source: 00000000.00000002.856631658.0000000002260000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Code function: 0_2_00409087 push ss; ret |
0_2_004090BD |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Code function: 0_2_00408917 pushfd ; retf |
0_2_00408918 |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Code function: 0_2_004059D8 push edx; retf |
0_2_00405A0E |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Code function: 0_2_00408A48 push ecx; ret |
0_2_00408A56 |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Code function: 0_2_00402A69 push es; iretd |
0_2_00402A6F |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Code function: 0_2_00405218 push ebx; iretd |
0_2_00405229 |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Code function: 0_2_00409B16 pushad ; retf |
0_2_00409B19 |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Code function: 0_2_02264B33 push es; iretd |
0_2_02264B4D |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Code function: 0_2_02260B6A push ebp; iretd |
0_2_02260B77 |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Code function: 0_2_02264EFD push esp; iretd |
0_2_02264F00 |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Code function: 0_2_02261C0A push cs; ret |
0_2_02261C47 |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Code function: 0_2_0226A410 pushad ; iretd |
0_2_0226A414 |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Code function: 0_2_02268CB0 push 2E9BB4ECh; iretd |
0_2_02268CB5 |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Code function: 0_2_02261D1D push ecx; retf |
0_2_02261D1E |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Code function: 0_2_02264DEE push eax; iretd |
0_2_02264DF5 |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
RDTSC instruction interceptor: First address: 000000000040E830 second address: 000000000040E830 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 popfd 0x00000004 mfence 0x00000007 popad 0x00000008 nop 0x00000009 mfence 0x0000000c dec edi 0x0000000d cmp eax, 000000D2h 0x00000012 pushfd 0x00000013 popfd 0x00000014 cmp edi, 00000000h 0x00000017 jne 00007F682498CB8Eh 0x00000019 nop 0x0000001a pushfd 0x0000001b popfd 0x0000001c pushad 0x0000001d wait 0x0000001e cmp ecx, 00000084h 0x00000024 rdtsc |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
RDTSC instruction interceptor: First address: 0000000002267298 second address: 0000000002267298 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 1185650Fh 0x00000007 xor eax, 7B4D8634h 0x0000000c xor eax, 869DF991h 0x00000011 add eax, 13AAE557h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F6824AEA438h 0x0000001e lfence 0x00000021 mov edx, AEB5F928h 0x00000026 xor edx, 1B41005Dh 0x0000002c add edx, 46E6D0EDh 0x00000032 xor edx, 8325CA76h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 add edi, edx 0x00000044 dec ecx 0x00000045 mov dword ptr [ebp+000001E9h], eax 0x0000004b mov eax, BC0FD70Dh 0x00000050 xor eax, CB05B517h 0x00000055 xor eax, 98705113h 0x0000005a xor eax, EF7A3309h 0x0000005f cmp ecx, eax 0x00000061 mov eax, dword ptr [ebp+000001E9h] 0x00000067 jne 00007F6824AEA3F2h 0x00000069 mov dword ptr [ebp+000001BBh], esi 0x0000006f mov esi, ecx 0x00000071 push esi 0x00000072 cmp bh, ch 0x00000074 mov esi, dword ptr [ebp+000001BBh] 0x0000007a test dl, cl 0x0000007c call 00007F6824AEA4F1h 0x00000081 call 00007F6824AEA459h 0x00000086 lfence 0x00000089 mov edx, AEB5F928h 0x0000008e xor edx, 1B41005Dh 0x00000094 add edx, 46E6D0EDh 0x0000009a xor edx, 8325CA76h 0x000000a0 mov edx, dword ptr [edx] 0x000000a2 lfence 0x000000a5 ret 0x000000a6 mov esi, edx 0x000000a8 pushad 0x000000a9 rdtsc |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Code function: 0_2_02267290 rdtsc |
0_2_02267290 |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Code function: 0_2_022670AD mov eax, dword ptr fs:[00000030h] |
0_2_022670AD |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Code function: 0_2_0226A1B6 mov eax, dword ptr fs:[00000030h] |
0_2_0226A1B6 |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Code function: 0_2_02269C63 mov eax, dword ptr fs:[00000030h] |
0_2_02269C63 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\BESTPREIS-ANFRAGE.exe |
Code function: 0_2_02267290 rdtsc |
0_2_02267290 |
Source: BESTPREIS-ANFRAGE.exe, 00000000.00000002.856524305.0000000000DD0000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: BESTPREIS-ANFRAGE.exe, 00000000.00000002.856524305.0000000000DD0000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: BESTPREIS-ANFRAGE.exe, 00000000.00000002.856524305.0000000000DD0000.00000002.00020000.sdmp |
Binary or memory string: &Program Manager |
Source: BESTPREIS-ANFRAGE.exe, 00000000.00000002.856524305.0000000000DD0000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |