Source: 00000000.00000002.1200992906.0000000000740000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=dow"} |
Source: Statement of Account.exe |
Joe Sandbox ML: detected |
Source: Statement of Account.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://drive.google.com/uc?export=dow |
Source: Statement of Account.exe, 00000000.00000002.1201052412.000000000079A000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: initial sample |
Icon embedded in PE file: bad icon match: 20047c7c70f0e004 |
Source: Statement of Account.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Statement of Account.exe, 00000000.00000002.1200800354.000000000041C000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameUnnec1.exe vs Statement of Account.exe |
Source: Statement of Account.exe, 00000000.00000002.1201717663.00000000029A0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameUnnec1.exeFE2X vs Statement of Account.exe |
Source: Statement of Account.exe |
Binary or memory string: OriginalFilenameUnnec1.exe vs Statement of Account.exe |
Source: Statement of Account.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_00401868 |
0_2_00401868 |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_0040228E |
0_2_0040228E |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_00403253 |
0_2_00403253 |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_0040346F |
0_2_0040346F |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_00403612 |
0_2_00403612 |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_004032D9 |
0_2_004032D9 |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_004034FC |
0_2_004034FC |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_00403353 |
0_2_00403353 |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_004033E4 |
0_2_004033E4 |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_00403583 |
0_2_00403583 |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_004031B3 |
0_2_004031B3 |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_00747DA9 |
0_2_00747DA9 |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_00749C65 |
0_2_00749C65 |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_00747D74 |
0_2_00747D74 |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_0074A915 |
0_2_0074A915 |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_0074A661 |
0_2_0074A661 |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_00747E39 |
0_2_00747E39 |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_00747BFE |
0_2_00747BFE |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_00745FA1 |
0_2_00745FA1 |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: String function: 0040177E appears 94 times |
|
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_00747DA9 NtAllocateVirtualMemory, |
0_2_00747DA9 |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_00747D74 NtAllocateVirtualMemory, |
0_2_00747D74 |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_00747E39 NtAllocateVirtualMemory, |
0_2_00747E39 |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Process Stats: CPU usage > 98% |
Source: Statement of Account.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: classification engine |
Classification label: mal76.rans.troj.evad.winEXE@1/0@0/0 |
Source: Yara match |
File source: 00000000.00000002.1200992906.0000000000740000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_00403F55 push 00000043h; ret |
0_2_00403F65 |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_004021A3 push FFFFFFC6h; retf |
0_2_00402213 |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_004067B9 push eax; retf |
0_2_004067BA |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_007434E9 push FFFFFF8Bh; retn 0008h |
0_2_00743562 |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_0074355C push FFFFFF8Bh; retn 0008h |
0_2_00743562 |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_00744D58 push es; ret |
0_2_00744EB7 |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_00742180 push edx; ret |
0_2_00742199 |
Source: initial sample |
Static PE information: section name: .text entropy: 6.83550763896 |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_00747A27 rdtsc |
0_2_00747A27 |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_0040228E mov ebx, dword ptr fs:[00000030h] |
0_2_0040228E |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_004031B3 mov ebx, dword ptr fs:[00000030h] |
0_2_004031B3 |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_0074997B mov eax, dword ptr fs:[00000030h] |
0_2_0074997B |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_00747608 mov eax, dword ptr fs:[00000030h] |
0_2_00747608 |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_00749E9C mov eax, dword ptr fs:[00000030h] |
0_2_00749E9C |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Statement of Account.exe |
Code function: 0_2_00747A27 rdtsc |
0_2_00747A27 |
Source: Statement of Account.exe, 00000000.00000002.1201243204.0000000000D20000.00000002.00020000.sdmp |
Binary or memory string: Program Manager |
Source: Statement of Account.exe, 00000000.00000002.1201243204.0000000000D20000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: Statement of Account.exe, 00000000.00000002.1201243204.0000000000D20000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: Statement of Account.exe, 00000000.00000002.1201243204.0000000000D20000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |