Windows Analysis Report LISTA DE PEDIDO DE COMPRA.exe

ID:	491627
Product:	CloudBasic
Start time:	19:03:45
Start date:	27.09.2021
Sample:	LISTA DE PEDIDO DE COMPRA.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	943986d4cb51d4cc29946aa7914dbc5b
SHA1:	cce8ec41fe0fabda407eaa5b8b9efc81168c5e5c
SHA256:	47d8b37351178ed6a40a269f3f42eb23fa0780a9a93098439275f7e66897a924
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Name	Type	MD5	SHA1	SHA256

AV Detection:

Found malware configuration

Source: 00000000.00000002.1189362749.0000000002980000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&idT"}

Multi AV Scanner detection for submitted file

Source: LISTA DE PEDIDO DE COMPRA.exe

ReversingLabs: Detection: 15%

Compliance:

Uses 32bit PE files

Source: LISTA DE PEDIDO DE COMPRA.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&idT

System Summary:

Uses 32bit PE files

Source: LISTA DE PEDIDO DE COMPRA.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Sample file is different than original file name gathered from version info

Source: LISTA DE PEDIDO DE COMPRA.exe, 00000000.00000000.663817424.0000000000415000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameUnseaming.exe vs LISTA DE PEDIDO DE COMPRA.exe
Source: LISTA DE PEDIDO DE COMPRA.exe	Binary or memory string: OriginalFilenameUnseaming.exe vs LISTA DE PEDIDO DE COMPRA.exe

PE file contains strange resources

Source: LISTA DE PEDIDO DE COMPRA.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Detected potential crypto function

Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 0_2_02987681		0_2_02987681
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 0_2_02986093		0_2_02986093
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 0_2_02985E8F		0_2_02985E8F
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 0_2_029876A2		0_2_029876A2
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 0_2_02985AC7		0_2_02985AC7
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 0_2_029860E5		0_2_029860E5
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 0_2_0298524F		0_2_0298524F
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 0_2_02985F87		0_2_02985F87
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 0_2_029859B8		0_2_029859B8
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 0_2_02985BF8		0_2_02985BF8
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 0_2_029861FD		0_2_029861FD
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 0_2_02985D1E		0_2_02985D1E
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 0_2_0298771F		0_2_0298771F
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 0_2_02985908		0_2_02985908
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 0_2_02987739		0_2_02987739
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 0_2_0298753E		0_2_0298753E
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 0_2_02986353		0_2_02986353

Contains functionality to call native functions

Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 0_2_02987681 NtAllocateVirtualMemory,		0_2_02987681
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 0_2_029876A2 NtAllocateVirtualMemory,		0_2_029876A2
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 0_2_0298783F NtAllocateVirtualMemory,		0_2_0298783F
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 0_2_0298771F NtAllocateVirtualMemory,		0_2_0298771F
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 0_2_02987739 NtAllocateVirtualMemory,		0_2_02987739

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe

Process Stats: CPU usage > 98%

Sample is known by Antivirus

Source: LISTA DE PEDIDO DE COMPRA.exe

ReversingLabs: Detection: 15%

PE file has an executable .text section and no other executable section

Source: LISTA DE PEDIDO DE COMPRA.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)

Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Creates temporary files

Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe

File created: C:\Users\user\AppData\Local\Temp\~DFBCC0369AB030E22C.TMP

Jump to behavior

Classification label

Source: classification engine

Classification label: mal76.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.1189362749.0000000002980000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 0_2_0040747B pushfd ; ret		0_2_00407495
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 0_2_0040401B push ds; ret		0_2_00404027
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 0_2_00406946 push ebx; ret		0_2_0040694C
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 0_2_004085A7 push edx; ret		0_2_004085A8
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 0_2_02980651 push eax; ret		0_2_02980668
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 0_2_0298298F pushad ; ret		0_2_02982997
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 0_2_029845A9 pushfd ; retf		0_2_029845AE
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 0_2_029821EB push edx; retf		0_2_029821EC

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe

RDTSC instruction interceptor: First address: 000000000040EBA2 second address: 000000000040EBA2 instructions: 0x00000000 rdtsc 0x00000002 cmp eax, 6Eh 0x00000005 cmp eax, 5Ch 0x00000008 popad 0x00000009 wait 0x0000000a cmp ecx, 60h 0x0000000d dec edi 0x0000000e nop 0x0000000f pushfd 0x00000010 popfd 0x00000011 cmp edi, 00000000h 0x00000014 jne 00007FF2AC93ADD0h 0x00000016 cmp eax, 000000B7h 0x0000001b nop 0x0000001c pushad 0x0000001d pushfd 0x0000001e popfd 0x0000001f lfence 0x00000022 rdtsc

Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe

RDTSC instruction interceptor: First address: 000000000298706E second address: 000000000298706E instructions: 0x00000000 rdtsc 0x00000002 mov eax, A370E331h 0x00000007 sub eax, EE8F7AC3h 0x0000000c xor eax, 7872D3ECh 0x00000011 xor eax, CC93BB83h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FF2ACDE262Bh 0x0000001e lfence 0x00000021 mov edx, E8846EA4h 0x00000026 xor edx, C49B79A6h 0x0000002c xor edx, ABD9477Dh 0x00000032 xor edx, F838506Bh 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 add edi, edx 0x00000044 test bx, ax 0x00000047 dec ecx 0x00000048 mov dword ptr [ebp+00000184h], B0217EC7h 0x00000052 xor dword ptr [ebp+00000184h], A2777855h 0x0000005c xor dword ptr [ebp+00000184h], 7D2690A8h 0x00000066 xor dword ptr [ebp+00000184h], 6F70963Ah 0x00000070 jmp 00007FF2ACDE267Eh 0x00000072 test eax, 81EDF7D7h 0x00000077 cmp ecx, dword ptr [ebp+00000184h] 0x0000007d jne 00007FF2ACDE2574h 0x00000083 mov dword ptr [ebp+000001DEh], eax 0x00000089 mov eax, ecx 0x0000008b push eax 0x0000008c mov eax, dword ptr [ebp+000001DEh] 0x00000092 call 00007FF2ACDE26FEh 0x00000097 call 00007FF2ACDE264Ch 0x0000009c lfence 0x0000009f mov edx, E8846EA4h 0x000000a4 xor edx, C49B79A6h 0x000000aa xor edx, ABD9477Dh 0x000000b0 xor edx, F838506Bh 0x000000b6 mov edx, dword ptr [edx] 0x000000b8 lfence 0x000000bb ret 0x000000bc mov esi, edx 0x000000be pushad 0x000000bf rdtsc

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe

Code function: 0_2_02987066 rdtsc

0_2_02987066

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 0_2_02986E85 mov eax, dword ptr fs:[00000030h]		0_2_02986E85
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 0_2_02989EDB mov eax, dword ptr fs:[00000030h]		0_2_02989EDB
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 0_2_02984C76 mov eax, dword ptr fs:[00000030h]		0_2_02984C76
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe	Code function: 0_2_0298993E mov eax, dword ptr fs:[00000030h]		0_2_0298993E

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe

Code function: 0_2_02987066 rdtsc

0_2_02987066

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Source: LISTA DE PEDIDO DE COMPRA.exe, 00000000.00000002.1189257522.0000000000C40000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: LISTA DE PEDIDO DE COMPRA.exe, 00000000.00000002.1189257522.0000000000C40000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: LISTA DE PEDIDO DE COMPRA.exe, 00000000.00000002.1189257522.0000000000C40000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: LISTA DE PEDIDO DE COMPRA.exe, 00000000.00000002.1189257522.0000000000C40000.00000002.00020000.sdmp	Binary or memory string: Progmanlock