Loading ...

Play interactive tourEdit tour

Windows Analysis Report Fra FAC-ES101-2107-03806.doc.exe

Overview

General Information

Sample Name:Fra FAC-ES101-2107-03806.doc.exe
Analysis ID:501942
MD5:18b804e21a3c1c80c195e7d20dc38477
SHA1:9622e70cd6db56de3488e99cd18c5f51e54afb64
SHA256:cbc14388711803d5a3f90396d4d33c9b3da952c37a5d919daed329cbd487c1b4
Tags:exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=downlo"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downlo"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: Fra FAC-ES101-2107-03806.doc.exeVirustotal: Detection: 51%Perma Link
    Source: Fra FAC-ES101-2107-03806.doc.exeMetadefender: Detection: 34%Perma Link
    Source: Fra FAC-ES101-2107-03806.doc.exeReversingLabs: Detection: 53%
    Source: Fra FAC-ES101-2107-03806.doc.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=downlo
    Source: Fra FAC-ES101-2107-03806.doc.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: Fra FAC-ES101-2107-03806.doc.exe, 00000000.00000000.253125793.0000000000417000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSaarede3.exe vs Fra FAC-ES101-2107-03806.doc.exe
    Source: Fra FAC-ES101-2107-03806.doc.exeBinary or memory string: OriginalFilenameSaarede3.exe vs Fra FAC-ES101-2107-03806.doc.exe
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_004016F40_2_004016F4
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_004017410_2_00401741
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_004015050_2_00401505
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212B7630_2_0212B763
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021274A70_2_021274A7
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212AA130_2_0212AA13
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02124A140_2_02124A14
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02124E150_2_02124E15
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02128E1A0_2_02128E1A
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212721C0_2_0212721C
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021262050_2_02126205
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02129A0B0_2_02129A0B
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212B20B0_2_0212B20B
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212A6090_2_0212A609
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212020D0_2_0212020D
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02124E0D0_2_02124E0D
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212363D0_2_0212363D
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02127A2B0_2_02127A2B
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212822F0_2_0212822F
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021202570_2_02120257
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212765B0_2_0212765B
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021292590_2_02129259
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021256470_2_02125647
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021272440_2_02127244
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02125E700_2_02125E70
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02126E850_2_02126E85
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212BABD0_2_0212BABD
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02125AAB0_2_02125AAB
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021266AF0_2_021266AF
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212AEDB0_2_0212AEDB
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021252C50_2_021252C5
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02127EF30_2_02127EF3
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021216F70_2_021216F7
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212BEE10_2_0212BEE1
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021296E60_2_021296E6
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02129AEF0_2_02129AEF
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021203190_2_02120319
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02126B030_2_02126B03
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02128B090_2_02128B09
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212630E0_2_0212630E
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212AF310_2_0212AF31
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02124F350_2_02124F35
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212A73B0_2_0212A73B
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212AB530_2_0212AB53
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02128F470_2_02128F47
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02127B4B0_2_02127B4B
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212A3490_2_0212A349
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212777F0_2_0212777F
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212537C0_2_0212537C
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02125F670_2_02125F67
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021203650_2_02120365
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212B3650_2_0212B365
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021257680_2_02125768
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02128F970_2_02128F97
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212A79E0_2_0212A79E
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02128B890_2_02128B89
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212938F0_2_0212938F
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212B78F0_2_0212B78F
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212BFBB0_2_0212BFBB
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021213BC0_2_021213BC
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021297D10_2_021297D1
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021267D70_2_021267D7
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02125BC30_2_02125BC3
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02129BC10_2_02129BC1
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02127FCD0_2_02127FCD
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212B7FD0_2_0212B7FD
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02124FE20_2_02124FE2
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021253E80_2_021253E8
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02128FEF0_2_02128FEF
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212AFEF0_2_0212AFEF
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021214170_2_02121417
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212A0010_2_0212A001
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021288050_2_02128805
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212180F0_2_0212180F
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212AC370_2_0212AC37
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021254350_2_02125435
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212903B0_2_0212903B
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021290390_2_02129039
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212A82F0_2_0212A82F
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02128C530_2_02128C53
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02127C570_2_02127C57
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212BC550_2_0212BC55
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021250410_2_02125041
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021264460_2_02126446
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212587E0_2_0212587E
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212707F0_2_0212707F
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212908F0_2_0212908F
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021214B20_2_021214B2
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02128CB20_2_02128CB2
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021228A10_2_021228A1
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212B8AA0_2_0212B8AA
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02126CD30_2_02126CD3
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021288D10_2_021288D1
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021278D80_2_021278D8
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021260C30_2_021260C3
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021274CF0_2_021274CF
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02125CF30_2_02125CF3
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021290F30_2_021290F3
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021268F00_2_021268F0
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021278F60_2_021278F6
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021298EE0_2_021298EE
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021255160_2_02125516
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212B1150_2_0212B115
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212A91D0_2_0212A91D
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212350F0_2_0212350F
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021275230_2_02127523
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212A12B0_2_0212A12B
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212B95B0_2_0212B95B
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021291410_2_02129141
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212014A0_2_0212014A
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212A17F0_2_0212A17F
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212357C0_2_0212357C
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212AD6F0_2_0212AD6F
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212196C0_2_0212196C
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212719F0_2_0212719F
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02127D800_2_02127D80
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212598B0_2_0212598B
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021251AD0_2_021251AD
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021295AD0_2_021295AD
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021229D80_2_021229D8
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212B9CF0_2_0212B9CF
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212BDF70_2_0212BDF7
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021269E50_2_021269E5
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021274A7 NtAllocateVirtualMemory,0_2_021274A7
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021274CF NtAllocateVirtualMemory,0_2_021274CF
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02127523 NtAllocateVirtualMemory,0_2_02127523
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeProcess Stats: CPU usage > 98%
    Source: Fra FAC-ES101-2107-03806.doc.exeVirustotal: Detection: 51%
    Source: Fra FAC-ES101-2107-03806.doc.exeMetadefender: Detection: 34%
    Source: Fra FAC-ES101-2107-03806.doc.exeReversingLabs: Detection: 53%
    Source: Fra FAC-ES101-2107-03806.doc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeFile created: C:\Users\user~1\AppData\Local\Temp\~DFFED7301E5AE2E1AD.TMPJump to behavior
    Source: classification engineClassification label: mal80.troj.evad.winEXE@1/0@0/0

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_00404871 pushfd ; ret 0_2_00404883
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_00404A8E push ebx; iretd 0_2_00404A5D
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_00403901 push FFFFFF9Dh; ret 0_2_00403903
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02120739 pushfd ; ret 0_2_0212073B
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02120365 push ebx; retn 665Dh0_2_021204C4
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021237D6 push es; ret 0_2_021237DC
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02123BC2 push edx; retn 0010h0_2_02123BBF
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02122C05 push ebp; ret 0_2_02122C10
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02124C56 push esi; retf 0_2_02124C59
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_021210D4 push 81EB8948h; ret 0_2_021210E2

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Uses an obfuscated file name to hide its real file extension (double extension)Show sources
    Source: Possible double extension: doc.exeStatic PE information: Fra FAC-ES101-2107-03806.doc.exe
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeRDTSC instruction interceptor: First address: 000000000040EF65 second address: 000000000040EF65 instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 cmp ecx, 1Eh 0x00000006 popad 0x00000007 cmp eax, 57h 0x0000000a cmp eax, 000000C1h 0x0000000f dec edi 0x00000010 pushfd 0x00000011 popfd 0x00000012 cmp ecx, 000000D3h 0x00000018 cmp edi, 00000000h 0x0000001b jne 00007FB154E0C83Dh 0x0000001d lfence 0x00000020 pushfd 0x00000021 popfd 0x00000022 pushad 0x00000023 nop 0x00000024 nop 0x00000025 rdtsc
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeRDTSC instruction interceptor: First address: 0000000002126DB3 second address: 0000000002126DB3 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 64E7D070h 0x00000007 sub eax, 19D506BDh 0x0000000c sub eax, 184D9669h 0x00000011 sub eax, 32C53349h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FB154E13023h 0x0000001e lfence 0x00000021 mov edx, 769F0153h 0x00000026 add edx, CDC36EF7h 0x0000002c xor edx, 603C6A45h 0x00000032 xor edx, 5BA01A1Bh 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 add edi, edx 0x00000044 dec ecx 0x00000045 mov dword ptr [ebp+000001A4h], 79BB58DFh 0x0000004f xor dword ptr [ebp+000001A4h], A54EB3B1h 0x00000059 xor dword ptr [ebp+000001A4h], F12654D1h 0x00000063 test dx, cx 0x00000066 add dword ptr [ebp+000001A4h], D22C4041h 0x00000070 cmp ecx, dword ptr [ebp+000001A4h] 0x00000076 jne 00007FB154E12F2Ah 0x0000007c mov dword ptr [ebp+00000214h], ebx 0x00000082 jmp 00007FB154E13026h 0x00000084 test cx, D417h 0x00000089 mov ebx, ecx 0x0000008b push ebx 0x0000008c mov ebx, dword ptr [ebp+00000214h] 0x00000092 test dl, al 0x00000094 call 00007FB154E13044h 0x00000099 call 00007FB154E13044h 0x0000009e lfence 0x000000a1 mov edx, 769F0153h 0x000000a6 add edx, CDC36EF7h 0x000000ac xor edx, 603C6A45h 0x000000b2 xor edx, 5BA01A1Bh 0x000000b8 mov edx, dword ptr [edx] 0x000000ba lfence 0x000000bd ret 0x000000be mov esi, edx 0x000000c0 pushad 0x000000c1 rdtsc
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02124A14 rdtsc 0_2_02124A14

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeProcess Stats: CPU usage > 90% for more than 60s
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02124A14 mov eax, dword ptr fs:[00000030h]0_2_02124A14
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212960F mov eax, dword ptr fs:[00000030h]0_2_0212960F
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02129B4A mov eax, dword ptr fs:[00000030h]0_2_02129B4A
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212A79E mov eax, dword ptr fs:[00000030h]0_2_0212A79E
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02126BE9 mov eax, dword ptr fs:[00000030h]0_2_02126BE9
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_02124A14 rdtsc 0_2_02124A14
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212B763 RtlAddVectoredExceptionHandler,0_2_0212B763
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212BABD RtlAddVectoredExceptionHandler,0_2_0212BABD
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212BB9D RtlAddVectoredExceptionHandler,0_2_0212BB9D
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212B78F RtlAddVectoredExceptionHandler,0_2_0212B78F
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212B7FD RtlAddVectoredExceptionHandler,0_2_0212B7FD
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212BC55 RtlAddVectoredExceptionHandler,0_2_0212BC55
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212B8AA RtlAddVectoredExceptionHandler,0_2_0212B8AA
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212B95B RtlAddVectoredExceptionHandler,0_2_0212B95B
    Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exeCode function: 0_2_0212B9CF RtlAddVectoredExceptionHandler,0_2_0212B9CF
    Source: Fra FAC-ES101-2107-03806.doc.exe, 00000000.00000002.781686584.0000000000C30000.00000002.00020000.sdmpBinary or memory string: uProgram Manager
    Source: Fra FAC-ES101-2107-03806.doc.exe, 00000000.00000002.781686584.0000000000C30000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: Fra FAC-ES101-2107-03806.doc.exe, 00000000.00000002.781686584.0000000000C30000.00000002.00020000.sdmpBinary or memory string: Progman
    Source: Fra FAC-ES101-2107-03806.doc.exe, 00000000.00000002.781686584.0000000000C30000.00000002.00020000.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Masquerading1OS Credential DumpingSecurity Software Discovery21Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion11LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information11NTDSSystem Information Discovery11Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.