Source: Kapitu.exe |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downloadV"} |
Source: Kapitu.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://drive.google.com/uc?export=downloadV |
Source: Kapitu.exe, 00000000.00000002.824160244.000000000071A000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: Kapitu.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Kapitu.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\Kapitu.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\Kapitu.exe |
Code function: 0_2_02157807 |
0_2_02157807 |
Source: C:\Users\user\Desktop\Kapitu.exe |
Code function: 0_2_0215E1B8 |
0_2_0215E1B8 |
Source: C:\Users\user\Desktop\Kapitu.exe |
Code function: 0_2_0215E3A7 |
0_2_0215E3A7 |
Source: C:\Users\user\Desktop\Kapitu.exe |
File created: C:\Users\user\AppData\Local\Temp\~DF4D2070BA92FABBC9.TMP |
Jump to behavior |
Source: Kapitu.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Kapitu.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\Kapitu.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: classification engine |
Classification label: mal68.troj.evad.winEXE@1/0@0/0 |
Source: Yara match |
File source: 00000000.00000002.824313775.0000000002150000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\Kapitu.exe |
Code function: 0_2_00403C75 pushfd ; retf |
0_2_00403C76 |
Source: C:\Users\user\Desktop\Kapitu.exe |
Code function: 0_2_0040487A push esp; iretd |
0_2_00404843 |
Source: C:\Users\user\Desktop\Kapitu.exe |
Code function: 0_2_0040480A push esp; iretd |
0_2_00404843 |
Source: C:\Users\user\Desktop\Kapitu.exe |
Code function: 0_2_00405F60 push ss; retf |
0_2_00405F68 |
Source: C:\Users\user\Desktop\Kapitu.exe |
Code function: 0_2_00404F20 push 00000016h; ret |
0_2_00404F28 |
Source: C:\Users\user\Desktop\Kapitu.exe |
Code function: 0_2_004033DC push eax; ret |
0_2_004033E9 |
Source: C:\Users\user\Desktop\Kapitu.exe |
Code function: 0_2_02152C34 push edi; retf |
0_2_02152C3F |
Source: C:\Users\user\Desktop\Kapitu.exe |
Code function: 0_2_02152EF9 push ebx; iretd |
0_2_02152FEF |
Source: C:\Users\user\Desktop\Kapitu.exe |
Code function: 0_2_02152F3E push ebx; iretd |
0_2_02152FEF |
Source: C:\Users\user\Desktop\Kapitu.exe |
Code function: 0_2_02152F88 push ebx; iretd |
0_2_02152FEF |
Source: C:\Users\user\Desktop\Kapitu.exe |
Code function: 0_2_021549BD push edx; retf |
0_2_021549D1 |
Source: C:\Users\user\Desktop\Kapitu.exe |
Code function: 0_2_02152BFC push edi; retf |
0_2_02152C3F |
Source: C:\Users\user\Desktop\Kapitu.exe |
Code function: 0_2_021507E5 push ecx; retf |
0_2_021507E6 |
Source: C:\Users\user\Desktop\Kapitu.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Kapitu.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\Kapitu.exe |
Code function: 0_2_0215D408 mov eax, dword ptr fs:[00000030h] |
0_2_0215D408 |
Source: C:\Users\user\Desktop\Kapitu.exe |
Code function: 0_2_02159717 mov eax, dword ptr fs:[00000030h] |
0_2_02159717 |
Source: C:\Users\user\Desktop\Kapitu.exe |
Code function: 0_2_0215CD70 mov eax, dword ptr fs:[00000030h] |
0_2_0215CD70 |
Source: C:\Users\user\Desktop\Kapitu.exe |
Code function: 0_2_0215E3A7 mov eax, dword ptr fs:[00000030h] |
0_2_0215E3A7 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: Kapitu.exe, 00000000.00000002.824238572.0000000000CA0000.00000002.00020000.sdmp |
Binary or memory string: Program Manager |
Source: Kapitu.exe, 00000000.00000002.824238572.0000000000CA0000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: Kapitu.exe, 00000000.00000002.824238572.0000000000CA0000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: Kapitu.exe, 00000000.00000002.824238572.0000000000CA0000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |