{"Payload URL": "https://drive.google.com/uc?export=download&id=1Vr1"}
Source: 00000000.00000002.857981611.0000000002260000.00000040.00000001.sdmp | Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1Vr1"} |
Source: FAKTURA I PARAGONY.exe | Virustotal: Detection: 40% | Perma Link |
Source: FAKTURA I PARAGONY.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor | URLs: https://drive.google.com/uc?export=download&id=1Vr1 |
Source: FAKTURA I PARAGONY.exe, 00000000.00000002.857167751.00000000006AA000.00000004.00000020.sdmp | Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
Source: FAKTURA I PARAGONY.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: FAKTURA I PARAGONY.exe, 00000000.00000000.331579410.0000000000417000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenamePYRAMIDLIKE.exe vs FAKTURA I PARAGONY.exe |
Source: FAKTURA I PARAGONY.exe | Binary or memory string: OriginalFilenamePYRAMIDLIKE.exe vs FAKTURA I PARAGONY.exe |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_004016E3 |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_004014F4 |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_00401730 |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_022675BF |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_0226B99E |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_02265A38 |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_02266003 |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_0226607C |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_02267ABC |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_02267C8D |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_02265C88 |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_0226569F |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_02261EEF |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_02265ECF |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_0226633B |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_02265B39 |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_02265506 |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_02265917 |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_02267D19 |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_0226517A |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_0226557B |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_02267B5E |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_02265DA6 |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_022673A6 |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_02267395 |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_02266192 |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_022657D4 |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_022675BF NtAllocateVirtualMemory, |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_0226761F NtAllocateVirtualMemory, |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_022676A4 NtAllocateVirtualMemory, |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_02267690 NtAllocateVirtualMemory, |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_0226774C NtAllocateVirtualMemory, |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Process Stats: CPU usage > 98% |
Source: FAKTURA I PARAGONY.exe | Virustotal: Detection: 40% |
Source: FAKTURA I PARAGONY.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | File created: C:\Users\user\AppData\Local\Temp\~DF54C4517C2DC63B6B.TMP | Jump to behavior |
Source: classification engine | Classification label: mal76.troj.evad.winEXE@1/0@0/0 |
Source: Yara match | File source: 00000000.00000002.857981611.0000000002260000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_0040545F push eax; iretd |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_00405426 push eax; iretd |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_00402F51 push 758B20A2h; ret |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_00406154 push eax; ret |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_00403B21 push ds; ret |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_004049E5 push eax; iretd |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_004043FF push eax; iretd |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_00403585 push eax; iretd |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_0226400B push eax; iretd |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_02261146 pushfd ; ret |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_022611E2 pushfd ; ret |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | RDTSC instruction interceptor: First address: 000000000040F206 second address: 000000000040F206 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 popfd 0x00000004 wait 0x00000005 popad 0x00000006 nop 0x00000007 cmp ecx, 000000D2h 0x0000000d dec edi 0x0000000e lfence 0x00000011 pushfd 0x00000012 popfd 0x00000013 cmp edi, 00000000h 0x00000016 jne 00007FC6009FA743h 0x00000018 pushfd 0x00000019 popfd 0x0000001a wait 0x0000001b pushad 0x0000001c pushfd 0x0000001d popfd 0x0000001e nop 0x0000001f rdtsc |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | RDTSC instruction interceptor: First address: 0000000002266EFB second address: 0000000002266EFB instructions: 0x00000000 rdtsc 0x00000002 mov eax, 21D60935h 0x00000007 xor eax, 8FACA394h 0x0000000c xor eax, 93E4BB61h 0x00000011 xor eax, 3D9E11C1h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FC600C340D0h 0x0000001e lfence 0x00000021 mov edx, 857A903Ah 0x00000026 add edx, 67C7CA1Ch 0x0000002c xor edx, 06B8F8E0h 0x00000032 xor edx, 9404A2A2h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 add edi, edx 0x00000044 cmp ch, dh 0x00000046 dec ecx 0x00000047 mov dword ptr [ebp+000001F9h], edx 0x0000004d mov edx, 3A4CFEADh 0x00000052 xor edx, 5F64774Ch 0x00000058 test edx, ecx 0x0000005a xor edx, 0A87EF9Dh 0x00000060 sub edx, 6FAF667Ch 0x00000066 cmp ecx, edx 0x00000068 mov edx, dword ptr [ebp+000001F9h] 0x0000006e jne 00007FC600C3401Fh 0x00000070 mov dword ptr [ebp+00000188h], edi 0x00000076 mov edi, ecx 0x00000078 push edi 0x00000079 mov edi, dword ptr [ebp+00000188h] 0x0000007f call 00007FC600C340C9h 0x00000084 call 00007FC600C340F1h 0x00000089 lfence 0x0000008c mov edx, 857A903Ah 0x00000091 add edx, 67C7CA1Ch 0x00000097 xor edx, 06B8F8E0h 0x0000009d xor edx, 9404A2A2h 0x000000a3 mov edx, dword ptr [edx] 0x000000a5 lfence 0x000000a8 ret 0x000000a9 mov esi, edx 0x000000ab pushad 0x000000ac rdtsc |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_0226721A rdtsc |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_02269878 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_02266D2F mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_02269DA2 mov eax, dword ptr fs:[00000030h] |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_0226721A rdtsc |
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe | Code function: 0_2_0226B99E RtlAddVectoredExceptionHandler, |
Source: FAKTURA I PARAGONY.exe, 00000000.00000002.857418346.0000000000D30000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd |
Source: FAKTURA I PARAGONY.exe, 00000000.00000002.857418346.0000000000D30000.00000002.00020000.sdmp | Binary or memory string: Progman |
Source: FAKTURA I PARAGONY.exe, 00000000.00000002.857418346.0000000000D30000.00000002.00020000.sdmp | Binary or memory string: &Program Manager |
Source: FAKTURA I PARAGONY.exe, 00000000.00000002.857418346.0000000000D30000.00000002.00020000.sdmp | Binary or memory string: Progmanlock |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.