Source: 00000000.00000002.1189362749.0000000002980000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&idT"} |
Source: LISTA DE PEDIDO DE COMPRA.exe |
ReversingLabs: Detection: 15% |
Source: LISTA DE PEDIDO DE COMPRA.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://drive.google.com/uc?export=download&idT |
Source: LISTA DE PEDIDO DE COMPRA.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: LISTA DE PEDIDO DE COMPRA.exe, 00000000.00000000.663817424.0000000000415000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameUnseaming.exe vs LISTA DE PEDIDO DE COMPRA.exe |
Source: LISTA DE PEDIDO DE COMPRA.exe |
Binary or memory string: OriginalFilenameUnseaming.exe vs LISTA DE PEDIDO DE COMPRA.exe |
Source: LISTA DE PEDIDO DE COMPRA.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_02987681 |
0_2_02987681 |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_02986093 |
0_2_02986093 |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_02985E8F |
0_2_02985E8F |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_029876A2 |
0_2_029876A2 |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_02985AC7 |
0_2_02985AC7 |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_029860E5 |
0_2_029860E5 |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_0298524F |
0_2_0298524F |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_02985F87 |
0_2_02985F87 |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_029859B8 |
0_2_029859B8 |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_02985BF8 |
0_2_02985BF8 |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_029861FD |
0_2_029861FD |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_02985D1E |
0_2_02985D1E |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_0298771F |
0_2_0298771F |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_02985908 |
0_2_02985908 |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_02987739 |
0_2_02987739 |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_0298753E |
0_2_0298753E |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_02986353 |
0_2_02986353 |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_02987681 NtAllocateVirtualMemory, |
0_2_02987681 |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_029876A2 NtAllocateVirtualMemory, |
0_2_029876A2 |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_0298783F NtAllocateVirtualMemory, |
0_2_0298783F |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_0298771F NtAllocateVirtualMemory, |
0_2_0298771F |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_02987739 NtAllocateVirtualMemory, |
0_2_02987739 |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Process Stats: CPU usage > 98% |
Source: LISTA DE PEDIDO DE COMPRA.exe |
ReversingLabs: Detection: 15% |
Source: LISTA DE PEDIDO DE COMPRA.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
File created: C:\Users\user\AppData\Local\Temp\~DFBCC0369AB030E22C.TMP |
Jump to behavior |
Source: classification engine |
Classification label: mal76.troj.evad.winEXE@1/0@0/0 |
Source: Yara match |
File source: 00000000.00000002.1189362749.0000000002980000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_0040747B pushfd ; ret |
0_2_00407495 |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_0040401B push ds; ret |
0_2_00404027 |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_00406946 push ebx; ret |
0_2_0040694C |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_004085A7 push edx; ret |
0_2_004085A8 |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_02980651 push eax; ret |
0_2_02980668 |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_0298298F pushad ; ret |
0_2_02982997 |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_029845A9 pushfd ; retf |
0_2_029845AE |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_029821EB push edx; retf |
0_2_029821EC |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
RDTSC instruction interceptor: First address: 000000000040EBA2 second address: 000000000040EBA2 instructions: 0x00000000 rdtsc 0x00000002 cmp eax, 6Eh 0x00000005 cmp eax, 5Ch 0x00000008 popad 0x00000009 wait 0x0000000a cmp ecx, 60h 0x0000000d dec edi 0x0000000e nop 0x0000000f pushfd 0x00000010 popfd 0x00000011 cmp edi, 00000000h 0x00000014 jne 00007FF2AC93ADD0h 0x00000016 cmp eax, 000000B7h 0x0000001b nop 0x0000001c pushad 0x0000001d pushfd 0x0000001e popfd 0x0000001f lfence 0x00000022 rdtsc |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
RDTSC instruction interceptor: First address: 000000000298706E second address: 000000000298706E instructions: 0x00000000 rdtsc 0x00000002 mov eax, A370E331h 0x00000007 sub eax, EE8F7AC3h 0x0000000c xor eax, 7872D3ECh 0x00000011 xor eax, CC93BB83h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FF2ACDE262Bh 0x0000001e lfence 0x00000021 mov edx, E8846EA4h 0x00000026 xor edx, C49B79A6h 0x0000002c xor edx, ABD9477Dh 0x00000032 xor edx, F838506Bh 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 add edi, edx 0x00000044 test bx, ax 0x00000047 dec ecx 0x00000048 mov dword ptr [ebp+00000184h], B0217EC7h 0x00000052 xor dword ptr [ebp+00000184h], A2777855h 0x0000005c xor dword ptr [ebp+00000184h], 7D2690A8h 0x00000066 xor dword ptr [ebp+00000184h], 6F70963Ah 0x00000070 jmp 00007FF2ACDE267Eh 0x00000072 test eax, 81EDF7D7h 0x00000077 cmp ecx, dword ptr [ebp+00000184h] 0x0000007d jne 00007FF2ACDE2574h 0x00000083 mov dword ptr [ebp+000001DEh], eax 0x00000089 mov eax, ecx 0x0000008b push eax 0x0000008c mov eax, dword ptr [ebp+000001DEh] 0x00000092 call 00007FF2ACDE26FEh 0x00000097 call 00007FF2ACDE264Ch 0x0000009c lfence 0x0000009f mov edx, E8846EA4h 0x000000a4 xor edx, C49B79A6h 0x000000aa xor edx, ABD9477Dh 0x000000b0 xor edx, F838506Bh 0x000000b6 mov edx, dword ptr [edx] 0x000000b8 lfence 0x000000bb ret 0x000000bc mov esi, edx 0x000000be pushad 0x000000bf rdtsc |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_02987066 rdtsc |
0_2_02987066 |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_02986E85 mov eax, dword ptr fs:[00000030h] |
0_2_02986E85 |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_02989EDB mov eax, dword ptr fs:[00000030h] |
0_2_02989EDB |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_02984C76 mov eax, dword ptr fs:[00000030h] |
0_2_02984C76 |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_0298993E mov eax, dword ptr fs:[00000030h] |
0_2_0298993E |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\LISTA DE PEDIDO DE COMPRA.exe |
Code function: 0_2_02987066 rdtsc |
0_2_02987066 |
Source: LISTA DE PEDIDO DE COMPRA.exe, 00000000.00000002.1189257522.0000000000C40000.00000002.00020000.sdmp |
Binary or memory string: Program Manager |
Source: LISTA DE PEDIDO DE COMPRA.exe, 00000000.00000002.1189257522.0000000000C40000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: LISTA DE PEDIDO DE COMPRA.exe, 00000000.00000002.1189257522.0000000000C40000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: LISTA DE PEDIDO DE COMPRA.exe, 00000000.00000002.1189257522.0000000000C40000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |