Source: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=dor"} |
Source: FACTURA.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://drive.google.com/uc?export=dor |
Source: FACTURA.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A78BE NtAllocateVirtualMemory, |
0_2_021A78BE |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A7A9E NtAllocateVirtualMemory, |
0_2_021A7A9E |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A78C2 NtAllocateVirtualMemory, |
0_2_021A78C2 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A7973 NtAllocateVirtualMemory, |
0_2_021A7973 |
Source: FACTURA.exe, 00000000.00000000.286217984.000000000041B000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameCounterfoil7.exe vs FACTURA.exe |
Source: FACTURA.exe, 00000000.00000002.809631589.00000000022A0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameCounterfoil7.exeFE2XCollides Systems, Inc. Collides Systems, Inc. vs FACTURA.exe |
Source: FACTURA.exe |
Binary or memory string: OriginalFilenameCounterfoil7.exe vs FACTURA.exe |
Source: FACTURA.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\FACTURA.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A78BE |
0_2_021A78BE |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021ABD75 |
0_2_021ABD75 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021ABE16 |
0_2_021ABE16 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021AAE3D |
0_2_021AAE3D |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021AA22C |
0_2_021AA22C |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021ABE7E |
0_2_021ABE7E |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A7E6A |
0_2_021A7E6A |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A626C |
0_2_021A626C |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021AB68E |
0_2_021AB68E |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A76B0 |
0_2_021A76B0 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A5EAA |
0_2_021A5EAA |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A5B0A |
0_2_021A5B0A |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021ABF0E |
0_2_021ABF0E |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021AA302 |
0_2_021AA302 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021AAF36 |
0_2_021AAF36 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A6349 |
0_2_021A6349 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021ABF6C |
0_2_021ABF6C |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A8362 |
0_2_021A8362 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A7F90 |
0_2_021A7F90 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021ABFB9 |
0_2_021ABFB9 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A5FB4 |
0_2_021A5FB4 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A53A7 |
0_2_021A53A7 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A57C6 |
0_2_021A57C6 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021AB3C6 |
0_2_021AB3C6 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021AA7FA |
0_2_021AA7FA |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A540E |
0_2_021A540E |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A5C38 |
0_2_021A5C38 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A642E |
0_2_021A642E |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021AA456 |
0_2_021AA456 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021AB056 |
0_2_021AB056 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A809A |
0_2_021A809A |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A7093 |
0_2_021A7093 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A54AC |
0_2_021A54AC |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021AC0A4 |
0_2_021AC0A4 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A50D1 |
0_2_021A50D1 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021AB0D4 |
0_2_021AB0D4 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A78C2 |
0_2_021A78C2 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021AACC4 |
0_2_021AACC4 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A58FC |
0_2_021A58FC |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A60E2 |
0_2_021A60E2 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A650A |
0_2_021A650A |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021AC151 |
0_2_021AC151 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021AB148 |
0_2_021AB148 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A7973 |
0_2_021A7973 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021AAD64 |
0_2_021AAD64 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A1991 |
0_2_021A1991 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021ABDAA |
0_2_021ABDAA |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A7DA7 |
0_2_021A7DA7 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021AA1A5 |
0_2_021AA1A5 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021AC1D6 |
0_2_021AC1D6 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A51EB |
0_2_021A51EB |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A59E6 |
0_2_021A59E6 |
Source: FACTURA.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: classification engine |
Classification label: mal68.troj.evad.winEXE@1/0@0/0 |
Source: Yara match |
File source: 00000000.00000002.809528334.00000000021A0000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A0B20 push ds; iretd |
0_2_021A0B5F |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A3CBF push es; retf |
0_2_021A3D20 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A4191 push es; iretd |
0_2_021A42B3 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A2DC7 push esi; iretd |
0_2_021A2DC8 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\FACTURA.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\FACTURA.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\FACTURA.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\FACTURA.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\FACTURA.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\FACTURA.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\FACTURA.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\FACTURA.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\FACTURA.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\FACTURA.exe |
RDTSC instruction interceptor: First address: 000000000040F386 second address: 000000000040F386 instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 mfence 0x00000006 popad 0x00000007 pushfd 0x00000008 popfd 0x00000009 cmp eax, 000000F9h 0x0000000e dec edi 0x0000000f wait 0x00000010 cmp eax, 67h 0x00000013 cmp edi, 00000000h 0x00000016 jne 00007F49089A7E50h 0x00000018 pushfd 0x00000019 popfd 0x0000001a wait 0x0000001b pushad 0x0000001c mfence 0x0000001f mfence 0x00000022 rdtsc |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\FACTURA.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A9A96 mov eax, dword ptr fs:[00000030h] |
0_2_021A9A96 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A9A94 mov eax, dword ptr fs:[00000030h] |
0_2_021A9A94 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A6FB7 mov eax, dword ptr fs:[00000030h] |
0_2_021A6FB7 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021A9FE0 mov eax, dword ptr fs:[00000030h] |
0_2_021A9FE0 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021AACC4 mov eax, dword ptr fs:[00000030h] |
0_2_021AACC4 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021ABD75 RtlAddVectoredExceptionHandler, |
0_2_021ABD75 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021ABE16 RtlAddVectoredExceptionHandler, |
0_2_021ABE16 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021ABE7E RtlAddVectoredExceptionHandler, |
0_2_021ABE7E |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021ABF0E RtlAddVectoredExceptionHandler, |
0_2_021ABF0E |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021AC30D RtlAddVectoredExceptionHandler, |
0_2_021AC30D |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021ABF6C RtlAddVectoredExceptionHandler, |
0_2_021ABF6C |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021ABFB9 RtlAddVectoredExceptionHandler, |
0_2_021ABFB9 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021AC0A4 RtlAddVectoredExceptionHandler, |
0_2_021AC0A4 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021AC151 RtlAddVectoredExceptionHandler, |
0_2_021AC151 |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021ABDAA RtlAddVectoredExceptionHandler, |
0_2_021ABDAA |
Source: C:\Users\user\Desktop\FACTURA.exe |
Code function: 0_2_021AC1D6 RtlAddVectoredExceptionHandler, |
0_2_021AC1D6 |
Source: FACTURA.exe, 00000000.00000002.809398242.0000000000C60000.00000002.00020000.sdmp |
Binary or memory string: Program Manager |
Source: FACTURA.exe, 00000000.00000002.809398242.0000000000C60000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: FACTURA.exe, 00000000.00000002.809398242.0000000000C60000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: FACTURA.exe, 00000000.00000002.809398242.0000000000C60000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |