Source: 00000000.00000002.816420146.0000000002270000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=do"} |
Source: Payment_Advice.exe |
ReversingLabs: Detection: 11% |
Source: Payment_Advice.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://drive.google.com/uc?export=do |
Source: initial sample |
Static PE information: Filename: Payment_Advice.exe |
Source: Payment_Advice.exe |
Static file information: Suspicious name |
Source: Payment_Advice.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Payment_Advice.exe, 00000000.00000002.813548449.0000000000415000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameAFFEJENDES.exe vs Payment_Advice.exe |
Source: Payment_Advice.exe |
Binary or memory string: OriginalFilenameAFFEJENDES.exe vs Payment_Advice.exe |
Source: Payment_Advice.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Code function: 0_2_02277792 |
0_2_02277792 |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Code function: 0_2_0227BB90 |
0_2_0227BB90 |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Code function: 0_2_022752DA |
0_2_022752DA |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Code function: 0_2_02279B36 |
0_2_02279B36 |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Code function: 0_2_02277B60 |
0_2_02277B60 |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Code function: 0_2_02275463 |
0_2_02275463 |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Code function: 0_2_02277528 |
0_2_02277528 |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Code function: 0_2_0227A9AA |
0_2_0227A9AA |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Code function: 0_2_02277792 NtAllocateVirtualMemory, |
0_2_02277792 |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Process Stats: CPU usage > 98% |
Source: Payment_Advice.exe |
ReversingLabs: Detection: 11% |
Source: Payment_Advice.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
File created: C:\Users\user\AppData\Local\Temp\~DF32C15638EC5B1167.TMP |
Jump to behavior |
Source: classification engine |
Classification label: mal84.troj.evad.winEXE@1/0@0/0 |
Source: Yara match |
File source: 00000000.00000002.816420146.0000000002270000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Code function: 0_2_0040407C pushfd ; retf |
0_2_0040417B |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Code function: 0_2_00404004 pushfd ; retf |
0_2_0040417B |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Code function: 0_2_004040D2 pushfd ; retf |
0_2_0040417B |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Code function: 0_2_00406AAD push edi; retf |
0_2_00406AB8 |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Code function: 0_2_00408578 push BCCCD893h; retf |
0_2_0040857D |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Code function: 0_2_00405124 push ebp; ret |
0_2_00405126 |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Code function: 0_2_0040332B pushad ; ret |
0_2_004034E9 |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Code function: 0_2_004053ED push 98EC4AA3h; iretd |
0_2_00405421 |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Code function: 0_2_004031F9 push cs; retf |
0_2_004031FA |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Code function: 0_2_00403397 pushad ; ret |
0_2_004034E9 |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Code function: 0_2_0040639F push eax; iretd |
0_2_004063A0 |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Code function: 0_2_00406BB3 push edi; ret |
0_2_00406BC2 |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Code function: 0_2_02270475 push ds; iretd |
0_2_022704F9 |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
RDTSC instruction interceptor: First address: 000000000040EAAD second address: 000000000040EAAD instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 nop 0x00000006 popad 0x00000007 cmp ecx, 000000E3h 0x0000000d wait 0x0000000e dec edi 0x0000000f cmp ecx, 0000009Bh 0x00000015 cmp ecx, 21h 0x00000018 cmp edi, 00000000h 0x0000001b jne 00007F774439025Ch 0x0000001d wait 0x0000001e nop 0x0000001f pushad 0x00000020 mfence 0x00000023 mfence 0x00000026 rdtsc |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
RDTSC instruction interceptor: First address: 000000000227703A second address: 000000000227703A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 3D8136F2h 0x00000007 sub eax, 4424654Ch 0x0000000c add eax, 25DE290Dh 0x00000011 xor eax, 1F3AFAB2h 0x00000016 cpuid 0x00000018 jmp 00007F774490E99Ah 0x0000001a test dx, ax 0x0000001d popad 0x0000001e call 00007F774490E95Bh 0x00000023 lfence 0x00000026 mov edx, 9B1CCDD8h 0x0000002b xor edx, AF97A1F8h 0x00000031 xor edx, A8058B4Dh 0x00000037 xor edx, E370E779h 0x0000003d mov edx, dword ptr [edx] 0x0000003f lfence 0x00000042 ret 0x00000043 sub edx, esi 0x00000045 ret 0x00000046 pop ecx 0x00000047 add edi, edx 0x00000049 dec ecx 0x0000004a mov dword ptr [ebp+000001E8h], ecx 0x00000050 mov ecx, 9B315063h 0x00000055 add ecx, 41FD8E20h 0x0000005b xor ecx, BAB84FC4h 0x00000061 sub ecx, 67969147h 0x00000067 cmp dword ptr [ebp+000001E8h], ecx 0x0000006d mov ecx, dword ptr [ebp+000001E8h] 0x00000073 jne 00007F774490E90Dh 0x00000075 mov dword ptr [ebp+00000216h], edx 0x0000007b mov edx, ecx 0x0000007d push edx 0x0000007e mov edx, dword ptr [ebp+00000216h] 0x00000084 cmp bl, dl 0x00000086 call 00007F774490E9BCh 0x0000008b call 00007F774490E9C9h 0x00000090 lfence 0x00000093 mov edx, 9B1CCDD8h 0x00000098 xor edx, AF97A1F8h 0x0000009e xor edx, A8058B4Dh 0x000000a4 xor edx, E370E779h 0x000000aa mov edx, dword ptr [edx] 0x000000ac lfence 0x000000af ret 0x000000b0 mov esi, edx 0x000000b2 pushad 0x000000b3 rdtsc |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Code function: 0_2_02277032 rdtsc |
0_2_02277032 |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Code function: 0_2_02276E76 mov eax, dword ptr fs:[00000030h] |
0_2_02276E76 |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Code function: 0_2_02279E4A mov eax, dword ptr fs:[00000030h] |
0_2_02279E4A |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Code function: 0_2_022798A6 mov eax, dword ptr fs:[00000030h] |
0_2_022798A6 |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Code function: 0_2_02274D08 mov eax, dword ptr fs:[00000030h] |
0_2_02274D08 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Code function: 0_2_02277032 rdtsc |
0_2_02277032 |
Source: C:\Users\user\Desktop\Payment_Advice.exe |
Code function: 0_2_0227BB90 RtlAddVectoredExceptionHandler, |
0_2_0227BB90 |
Source: Payment_Advice.exe, 00000000.00000002.814578023.0000000000D60000.00000002.00020000.sdmp |
Binary or memory string: Program Manager |
Source: Payment_Advice.exe, 00000000.00000002.814578023.0000000000D60000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: Payment_Advice.exe, 00000000.00000002.814578023.0000000000D60000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: Payment_Advice.exe, 00000000.00000002.814578023.0000000000D60000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |