Source: 00000001.00000002.815595666.00000000021E0000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1nGJi"} |
Source: Dokument VAT I - 85926 09 2021 MAG-8.exe |
Virustotal: Detection: 20% |
Perma Link |
Source: Dokument VAT I - 85926 09 2021 MAG-8.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://drive.google.com/uc?export=download&id=1nGJi |
Source: Dokument VAT I - 85926 09 2021 MAG-8.exe, 00000001.00000002.810461563.00000000006FA000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: Dokument VAT I - 85926 09 2021 MAG-8.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Dokument VAT I - 85926 09 2021 MAG-8.exe, 00000001.00000000.284587684.0000000000415000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameAfblomstrings8.exe vs Dokument VAT I - 85926 09 2021 MAG-8.exe |
Source: Dokument VAT I - 85926 09 2021 MAG-8.exe |
Binary or memory string: OriginalFilenameAfblomstrings8.exe vs Dokument VAT I - 85926 09 2021 MAG-8.exe |
Source: Dokument VAT I - 85926 09 2021 MAG-8.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E7466 |
1_2_021E7466 |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021EB95B |
1_2_021EB95B |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E5E19 |
1_2_021E5E19 |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E9416 |
1_2_021E9416 |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E6014 |
1_2_021E6014 |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E720B |
1_2_021E720B |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E503A |
1_2_021E503A |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E5838 |
1_2_021E5838 |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E9638 |
1_2_021E9638 |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E564E |
1_2_021E564E |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021EA464 |
1_2_021EA464 |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E7488 |
1_2_021E7488 |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E5ABA |
1_2_021E5ABA |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E5ED2 |
1_2_021E5ED2 |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E54EB |
1_2_021E54EB |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E5511 |
1_2_021E5511 |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021EA92B |
1_2_021EA92B |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E595E |
1_2_021E595E |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E5776 |
1_2_021E5776 |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E6166 |
1_2_021E6166 |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E59B1 |
1_2_021E59B1 |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E53AC |
1_2_021E53AC |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E59A6 |
1_2_021E59A6 |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E5BCA |
1_2_021E5BCA |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E7466 NtAllocateVirtualMemory, |
1_2_021E7466 |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E7488 NtAllocateVirtualMemory, |
1_2_021E7488 |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Process Stats: CPU usage > 98% |
Source: Dokument VAT I - 85926 09 2021 MAG-8.exe |
Virustotal: Detection: 20% |
Source: Dokument VAT I - 85926 09 2021 MAG-8.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
File created: C:\Users\user\AppData\Local\Temp\~DFBDA2D233B6FDE700.TMP |
Jump to behavior |
Source: classification engine |
Classification label: mal76.troj.evad.winEXE@1/0@0/0 |
Source: Yara match |
File source: 00000001.00000002.815595666.00000000021E0000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_00403E4C push esp; iretd |
1_2_00403E82 |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_00404E5C push esp; ret |
1_2_00404E5D |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_00405029 push FFFFFFFBh; ret |
1_2_0040502D |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_0040769A push ebp; ret |
1_2_0040769D |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_004040B4 push esp; ret |
1_2_004040B5 |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_00403F77 push esp; ret |
1_2_00403FF9 |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_00407304 push esp; ret |
1_2_004072ED |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_0040713E push esp; ret |
1_2_004072ED |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_004071F5 push esp; ret |
1_2_004072ED |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_00408789 push esp; ret |
1_2_00408795 |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_00407D93 push esp; ret |
1_2_00407D99 |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E3EF5 pushad ; retf |
1_2_021E3EF6 |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E413D push edx; iretd |
1_2_021E415C |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E4552 push ecx; ret |
1_2_021E4575 |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E858D push esi; ret |
1_2_021E858E |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E73B9 push edi; iretd |
1_2_021E73CD |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E3BB7 push edx; ret |
1_2_021E3BBE |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E73CF pushad ; ret |
1_2_021E73D1 |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E73E2 push edi; iretd |
1_2_021E73CD |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
RDTSC instruction interceptor: First address: 000000000040E86D second address: 000000000040E86D instructions: 0x00000000 rdtsc 0x00000002 wait 0x00000003 nop 0x00000004 popad 0x00000005 mfence 0x00000008 mfence 0x0000000b dec edi 0x0000000c cmp eax, 63h 0x0000000f cmp eax, 04h 0x00000012 cmp edi, 00000000h 0x00000015 jne 00007F28FCD8F3C0h 0x00000017 cmp ecx, 06h 0x0000001a mfence 0x0000001d pushad 0x0000001e pushfd 0x0000001f popfd 0x00000020 pushfd 0x00000021 popfd 0x00000022 rdtsc |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E70A2 rdtsc |
1_2_021E70A2 |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E9C00 mov eax, dword ptr fs:[00000030h] |
1_2_021E9C00 |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E9624 mov eax, dword ptr fs:[00000030h] |
1_2_021E9624 |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021EA92B mov eax, dword ptr fs:[00000030h] |
1_2_021EA92B |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E6BA5 mov eax, dword ptr fs:[00000030h] |
1_2_021E6BA5 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021E70A2 rdtsc |
1_2_021E70A2 |
Source: C:\Users\user\Desktop\Dokument VAT I - 85926 09 2021 MAG-8.exe |
Code function: 1_2_021EB95B RtlAddVectoredExceptionHandler, |
1_2_021EB95B |
Source: Dokument VAT I - 85926 09 2021 MAG-8.exe, 00000001.00000002.815103622.0000000000D80000.00000002.00020000.sdmp |
Binary or memory string: Program Manager |
Source: Dokument VAT I - 85926 09 2021 MAG-8.exe, 00000001.00000002.815103622.0000000000D80000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: Dokument VAT I - 85926 09 2021 MAG-8.exe, 00000001.00000002.815103622.0000000000D80000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: Dokument VAT I - 85926 09 2021 MAG-8.exe, 00000001.00000002.815103622.0000000000D80000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |