Windows Analysis Report Fra FAC-ES101-2107-03806.doc.exe

Overview

General Information

Sample Name: Fra FAC-ES101-2107-03806.doc.exe
Analysis ID: 501942
MD5: 18b804e21a3c1c80c195e7d20dc38477
SHA1: 9622e70cd6db56de3488e99cd18c5f51e54afb64
SHA256: cbc14388711803d5a3f90396d4d33c9b3da952c37a5d919daed329cbd487c1b4
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downlo"}
Multi AV Scanner detection for submitted file
Source: Fra FAC-ES101-2107-03806.doc.exe Virustotal: Detection: 51% Perma Link
Source: Fra FAC-ES101-2107-03806.doc.exe Metadefender: Detection: 34% Perma Link
Source: Fra FAC-ES101-2107-03806.doc.exe ReversingLabs: Detection: 53%

Compliance:

barindex
Uses 32bit PE files
Source: Fra FAC-ES101-2107-03806.doc.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=downlo

System Summary:

barindex
Uses 32bit PE files
Source: Fra FAC-ES101-2107-03806.doc.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: Fra FAC-ES101-2107-03806.doc.exe, 00000000.00000000.253125793.0000000000417000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSaarede3.exe vs Fra FAC-ES101-2107-03806.doc.exe
Source: Fra FAC-ES101-2107-03806.doc.exe Binary or memory string: OriginalFilenameSaarede3.exe vs Fra FAC-ES101-2107-03806.doc.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_004016F4 0_2_004016F4
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_00401741 0_2_00401741
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_00401505 0_2_00401505
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212B763 0_2_0212B763
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_021274A7 0_2_021274A7
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212AA13 0_2_0212AA13
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02124A14 0_2_02124A14
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02124E15 0_2_02124E15
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02128E1A 0_2_02128E1A
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212721C 0_2_0212721C
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02126205 0_2_02126205
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02129A0B 0_2_02129A0B
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212B20B 0_2_0212B20B
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212A609 0_2_0212A609
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212020D 0_2_0212020D
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02124E0D 0_2_02124E0D
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212363D 0_2_0212363D
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02127A2B 0_2_02127A2B
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212822F 0_2_0212822F
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02120257 0_2_02120257
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212765B 0_2_0212765B
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02129259 0_2_02129259
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02125647 0_2_02125647
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02127244 0_2_02127244
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02125E70 0_2_02125E70
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02126E85 0_2_02126E85
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212BABD 0_2_0212BABD
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02125AAB 0_2_02125AAB
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_021266AF 0_2_021266AF
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212AEDB 0_2_0212AEDB
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_021252C5 0_2_021252C5
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02127EF3 0_2_02127EF3
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_021216F7 0_2_021216F7
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212BEE1 0_2_0212BEE1
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_021296E6 0_2_021296E6
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02129AEF 0_2_02129AEF
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02120319 0_2_02120319
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02126B03 0_2_02126B03
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02128B09 0_2_02128B09
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212630E 0_2_0212630E
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212AF31 0_2_0212AF31
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02124F35 0_2_02124F35
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212A73B 0_2_0212A73B
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212AB53 0_2_0212AB53
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02128F47 0_2_02128F47
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02127B4B 0_2_02127B4B
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212A349 0_2_0212A349
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212777F 0_2_0212777F
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212537C 0_2_0212537C
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02125F67 0_2_02125F67
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02120365 0_2_02120365
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212B365 0_2_0212B365
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02125768 0_2_02125768
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02128F97 0_2_02128F97
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212A79E 0_2_0212A79E
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02128B89 0_2_02128B89
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212938F 0_2_0212938F
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212B78F 0_2_0212B78F
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212BFBB 0_2_0212BFBB
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_021213BC 0_2_021213BC
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_021297D1 0_2_021297D1
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_021267D7 0_2_021267D7
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02125BC3 0_2_02125BC3
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02129BC1 0_2_02129BC1
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02127FCD 0_2_02127FCD
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212B7FD 0_2_0212B7FD
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02124FE2 0_2_02124FE2
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_021253E8 0_2_021253E8
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02128FEF 0_2_02128FEF
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212AFEF 0_2_0212AFEF
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02121417 0_2_02121417
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212A001 0_2_0212A001
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02128805 0_2_02128805
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212180F 0_2_0212180F
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212AC37 0_2_0212AC37
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02125435 0_2_02125435
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212903B 0_2_0212903B
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02129039 0_2_02129039
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212A82F 0_2_0212A82F
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02128C53 0_2_02128C53
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02127C57 0_2_02127C57
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212BC55 0_2_0212BC55
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02125041 0_2_02125041
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02126446 0_2_02126446
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212587E 0_2_0212587E
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212707F 0_2_0212707F
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212908F 0_2_0212908F
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_021214B2 0_2_021214B2
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02128CB2 0_2_02128CB2
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_021228A1 0_2_021228A1
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212B8AA 0_2_0212B8AA
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02126CD3 0_2_02126CD3
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_021288D1 0_2_021288D1
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_021278D8 0_2_021278D8
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_021260C3 0_2_021260C3
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_021274CF 0_2_021274CF
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02125CF3 0_2_02125CF3
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_021290F3 0_2_021290F3
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_021268F0 0_2_021268F0
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_021278F6 0_2_021278F6
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_021298EE 0_2_021298EE
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02125516 0_2_02125516
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212B115 0_2_0212B115
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212A91D 0_2_0212A91D
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212350F 0_2_0212350F
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02127523 0_2_02127523
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212A12B 0_2_0212A12B
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212B95B 0_2_0212B95B
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02129141 0_2_02129141
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212014A 0_2_0212014A
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212A17F 0_2_0212A17F
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212357C 0_2_0212357C
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212AD6F 0_2_0212AD6F
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212196C 0_2_0212196C
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212719F 0_2_0212719F
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02127D80 0_2_02127D80
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212598B 0_2_0212598B
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_021251AD 0_2_021251AD
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_021295AD 0_2_021295AD
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_021229D8 0_2_021229D8
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212B9CF 0_2_0212B9CF
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212BDF7 0_2_0212BDF7
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_021269E5 0_2_021269E5
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_021274A7 NtAllocateVirtualMemory, 0_2_021274A7
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_021274CF NtAllocateVirtualMemory, 0_2_021274CF
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02127523 NtAllocateVirtualMemory, 0_2_02127523
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Process Stats: CPU usage > 98%
Source: Fra FAC-ES101-2107-03806.doc.exe Virustotal: Detection: 51%
Source: Fra FAC-ES101-2107-03806.doc.exe Metadefender: Detection: 34%
Source: Fra FAC-ES101-2107-03806.doc.exe ReversingLabs: Detection: 53%
Source: Fra FAC-ES101-2107-03806.doc.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe File created: C:\Users\user~1\AppData\Local\Temp\~DFFED7301E5AE2E1AD.TMP Jump to behavior
Source: classification engine Classification label: mal80.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_00404871 pushfd ; ret 0_2_00404883
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_00404A8E push ebx; iretd 0_2_00404A5D
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_00403901 push FFFFFF9Dh; ret 0_2_00403903
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02120739 pushfd ; ret 0_2_0212073B
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02120365 push ebx; retn 665Dh 0_2_021204C4
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_021237D6 push es; ret 0_2_021237DC
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02123BC2 push edx; retn 0010h 0_2_02123BBF
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02122C05 push ebp; ret 0_2_02122C10
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02124C56 push esi; retf 0_2_02124C59
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_021210D4 push 81EB8948h; ret 0_2_021210E2

Hooking and other Techniques for Hiding and Protection:

barindex
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: doc.exe Static PE information: Fra FAC-ES101-2107-03806.doc.exe
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe RDTSC instruction interceptor: First address: 000000000040EF65 second address: 000000000040EF65 instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 cmp ecx, 1Eh 0x00000006 popad 0x00000007 cmp eax, 57h 0x0000000a cmp eax, 000000C1h 0x0000000f dec edi 0x00000010 pushfd 0x00000011 popfd 0x00000012 cmp ecx, 000000D3h 0x00000018 cmp edi, 00000000h 0x0000001b jne 00007FB154E0C83Dh 0x0000001d lfence 0x00000020 pushfd 0x00000021 popfd 0x00000022 pushad 0x00000023 nop 0x00000024 nop 0x00000025 rdtsc
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe RDTSC instruction interceptor: First address: 0000000002126DB3 second address: 0000000002126DB3 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 64E7D070h 0x00000007 sub eax, 19D506BDh 0x0000000c sub eax, 184D9669h 0x00000011 sub eax, 32C53349h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FB154E13023h 0x0000001e lfence 0x00000021 mov edx, 769F0153h 0x00000026 add edx, CDC36EF7h 0x0000002c xor edx, 603C6A45h 0x00000032 xor edx, 5BA01A1Bh 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 add edi, edx 0x00000044 dec ecx 0x00000045 mov dword ptr [ebp+000001A4h], 79BB58DFh 0x0000004f xor dword ptr [ebp+000001A4h], A54EB3B1h 0x00000059 xor dword ptr [ebp+000001A4h], F12654D1h 0x00000063 test dx, cx 0x00000066 add dword ptr [ebp+000001A4h], D22C4041h 0x00000070 cmp ecx, dword ptr [ebp+000001A4h] 0x00000076 jne 00007FB154E12F2Ah 0x0000007c mov dword ptr [ebp+00000214h], ebx 0x00000082 jmp 00007FB154E13026h 0x00000084 test cx, D417h 0x00000089 mov ebx, ecx 0x0000008b push ebx 0x0000008c mov ebx, dword ptr [ebp+00000214h] 0x00000092 test dl, al 0x00000094 call 00007FB154E13044h 0x00000099 call 00007FB154E13044h 0x0000009e lfence 0x000000a1 mov edx, 769F0153h 0x000000a6 add edx, CDC36EF7h 0x000000ac xor edx, 603C6A45h 0x000000b2 xor edx, 5BA01A1Bh 0x000000b8 mov edx, dword ptr [edx] 0x000000ba lfence 0x000000bd ret 0x000000be mov esi, edx 0x000000c0 pushad 0x000000c1 rdtsc
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02124A14 rdtsc 0_2_02124A14

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02124A14 mov eax, dword ptr fs:[00000030h] 0_2_02124A14
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212960F mov eax, dword ptr fs:[00000030h] 0_2_0212960F
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02129B4A mov eax, dword ptr fs:[00000030h] 0_2_02129B4A
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212A79E mov eax, dword ptr fs:[00000030h] 0_2_0212A79E
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02126BE9 mov eax, dword ptr fs:[00000030h] 0_2_02126BE9
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_02124A14 rdtsc 0_2_02124A14
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212B763 RtlAddVectoredExceptionHandler, 0_2_0212B763
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212BABD RtlAddVectoredExceptionHandler, 0_2_0212BABD
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212BB9D RtlAddVectoredExceptionHandler, 0_2_0212BB9D
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212B78F RtlAddVectoredExceptionHandler, 0_2_0212B78F
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212B7FD RtlAddVectoredExceptionHandler, 0_2_0212B7FD
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212BC55 RtlAddVectoredExceptionHandler, 0_2_0212BC55
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212B8AA RtlAddVectoredExceptionHandler, 0_2_0212B8AA
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212B95B RtlAddVectoredExceptionHandler, 0_2_0212B95B
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe Code function: 0_2_0212B9CF RtlAddVectoredExceptionHandler, 0_2_0212B9CF
Source: Fra FAC-ES101-2107-03806.doc.exe, 00000000.00000002.781686584.0000000000C30000.00000002.00020000.sdmp Binary or memory string: uProgram Manager
Source: Fra FAC-ES101-2107-03806.doc.exe, 00000000.00000002.781686584.0000000000C30000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Fra FAC-ES101-2107-03806.doc.exe, 00000000.00000002.781686584.0000000000C30000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Fra FAC-ES101-2107-03806.doc.exe, 00000000.00000002.781686584.0000000000C30000.00000002.00020000.sdmp Binary or memory string: Progmanlock