Windows Analysis Report Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe

ID:	492176
Product:	CloudBasic
Start time:	12:48:49
Start date:	28.09.2021
Sample:	Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	419a3e9ce6606d5ed7b22a7574e1a294
SHA1:	7c08e8f1f4f478df9baf5d00675bd174467621bc
SHA256:	3ebfb7cdc30291bcc995951dda1d8f62cea3e0beb990e35fabb3078b6d9d9921
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Name	Type	MD5	SHA1	SHA256

AV Detection:

Found malware configuration

Source: 00000000.00000002.874642724.0000000002280000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1"}

Multi AV Scanner detection for submitted file

Source: Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe	Virustotal: Detection: 32%			Perma Link
Source: Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe	ReversingLabs: Detection: 59%

Compliance:

Uses 32bit PE files

Source: Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe, 00000000.00000002.874364498.00000000006EA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Uses 32bit PE files

Source: Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Sample file is different than original file name gathered from version info

Source: Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe, 00000000.00000000.347136276.0000000000415000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSOOTIER.exe vs Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe
Source: Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe	Binary or memory string: OriginalFilenameSOOTIER.exe vs Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe

PE file contains strange resources

Source: Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Detected potential crypto function

Source: C:\Users\user\Desktop\Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe	Code function: 0_2_02287551		0_2_02287551
Source: C:\Users\user\Desktop\Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe	Code function: 0_2_02285013		0_2_02285013
Source: C:\Users\user\Desktop\Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe	Code function: 0_2_02285046		0_2_02285046
Source: C:\Users\user\Desktop\Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe	Code function: 0_2_02284EAF		0_2_02284EAF
Source: C:\Users\user\Desktop\Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe	Code function: 0_2_022872F7		0_2_022872F7
Source: C:\Users\user\Desktop\Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe	Code function: 0_2_02289AC8		0_2_02289AC8
Source: C:\Users\user\Desktop\Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe	Code function: 0_2_02285381		0_2_02285381
Source: C:\Users\user\Desktop\Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe	Code function: 0_2_02285186		0_2_02285186

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe	Code function: 0_2_02287551 NtAllocateVirtualMemory,		0_2_02287551
Source: C:\Users\user\Desktop\Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe	Code function: 0_2_0228770D NtAllocateVirtualMemory,		0_2_0228770D
Source: C:\Users\user\Desktop\Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe	Code function: 0_2_022875F5 NtAllocateVirtualMemory,		0_2_022875F5

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe

Process Stats: CPU usage > 98%

Sample is known by Antivirus

Source: Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe	Virustotal: Detection: 32%
Source: Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe	ReversingLabs: Detection: 59%

PE file has an executable .text section and no other executable section

Source: Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Users\user\Desktop\Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)

Source: C:\Users\user\Desktop\Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Creates temporary files

Source: C:\Users\user\Desktop\Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe

File created: C:\Users\user\AppData\Local\Temp\~DFB490F95CF5EA8B6F.TMP

Jump to behavior

Classification label

Source: classification engine

Classification label: mal76.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.874642724.0000000002280000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe	Code function: 0_2_00405846 push edi; retf		0_2_0040585F
Source: C:\Users\user\Desktop\Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe	Code function: 0_2_00405D7E push edx; iretd		0_2_00405D7F
Source: C:\Users\user\Desktop\Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe	Code function: 0_2_00402B90 push ebx; retf		0_2_00402B96
Source: C:\Users\user\Desktop\Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe	Code function: 0_2_0228A443 push esp; retf		0_2_0228A67F
Source: C:\Users\user\Desktop\Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe	Code function: 0_2_02283300 pushfd ; ret		0_2_02283303

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe

RDTSC instruction interceptor: First address: 000000000040E85B second address: 000000000040E85B instructions: 0x00000000 rdtsc 0x00000002 wait 0x00000003 wait 0x00000004 popad 0x00000005 lfence 0x00000008 mfence 0x0000000b dec edi 0x0000000c pushfd 0x0000000d popfd 0x0000000e pushfd 0x0000000f popfd 0x00000010 cmp edi, 00000000h 0x00000013 jne 00007F5770EAA462h 0x00000015 lfence 0x00000018 mfence 0x0000001b pushad 0x0000001c wait 0x0000001d mfence 0x00000020 rdtsc

Source: C:\Users\user\Desktop\Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe

RDTSC instruction interceptor: First address: 0000000002286DFC second address: 0000000002286DFC instructions: 0x00000000 rdtsc 0x00000002 mov eax, F9F0A62Eh 0x00000007 sub eax, C3698614h 0x0000000c xor eax, A054C6ADh 0x00000011 sub eax, 96D3E6B6h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F5770EA7F3Bh 0x0000001e lfence 0x00000021 mov edx, B7F0CA33h 0x00000026 xor edx, D51E11ABh 0x0000002c add edx, A4F999EAh 0x00000032 xor edx, 78167596h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 add edi, edx 0x00000044 dec ecx 0x00000045 mov dword ptr [ebp+00000200h], 2A782AA0h 0x0000004f jmp 00007F5770EA7F7Eh 0x00000051 test eax, edx 0x00000053 xor dword ptr [ebp+00000200h], 7BA13BC5h 0x0000005d xor dword ptr [ebp+00000200h], 6C4338F5h 0x00000067 test ch, dh 0x00000069 sub dword ptr [ebp+00000200h], 3D9A2990h 0x00000073 cmp ecx, dword ptr [ebp+00000200h] 0x00000079 jne 00007F5770EA7E91h 0x0000007f mov dword ptr [ebp+00000271h], edi 0x00000085 mov edi, ecx 0x00000087 push edi 0x00000088 cmp al, F4h 0x0000008a mov edi, dword ptr [ebp+00000271h] 0x00000090 cmp bl, al 0x00000092 test dh, FFFFFFF1h 0x00000095 call 00007F5770EA7FF7h 0x0000009a call 00007F5770EA7F5Ch 0x0000009f lfence 0x000000a2 mov edx, B7F0CA33h 0x000000a7 xor edx, D51E11ABh 0x000000ad add edx, A4F999EAh 0x000000b3 xor edx, 78167596h 0x000000b9 mov edx, dword ptr [edx] 0x000000bb lfence 0x000000be ret 0x000000bf mov esi, edx 0x000000c1 pushad 0x000000c2 rdtsc

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe

Code function: 0_2_022870F5 rdtsc

0_2_022870F5

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe	Code function: 0_2_02286C29 mov eax, dword ptr fs:[00000030h]		0_2_02286C29
Source: C:\Users\user\Desktop\Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe	Code function: 0_2_02289D47 mov eax, dword ptr fs:[00000030h]		0_2_02289D47
Source: C:\Users\user\Desktop\Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe	Code function: 0_2_022897B7 mov eax, dword ptr fs:[00000030h]		0_2_022897B7

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe

Code function: 0_2_022870F5 rdtsc

0_2_022870F5

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Source: Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe, 00000000.00000002.874467100.0000000000D70000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe, 00000000.00000002.874467100.0000000000D70000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe, 00000000.00000002.874467100.0000000000D70000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: Zapytanie ofertowe (SHELMO Sp. z o.o. 09272021).exe, 00000000.00000002.874467100.0000000000D70000.00000002.00020000.sdmp	Binary or memory string: Progmanlock