Source: 00000000.00000002.788395065.0000000002B00000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1kFeDtVEJdXDeWXxK="} |
Source: Delivery note_241493.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://drive.google.com/uc?export=download&id=1kFeDtVEJdXDeWXxK= |
Source: Delivery note_241493.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Delivery note_241493.exe, 00000000.00000000.250683237.0000000000416000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameTains4.exe vs Delivery note_241493.exe |
Source: Delivery note_241493.exe |
Binary or memory string: OriginalFilenameTains4.exe vs Delivery note_241493.exe |
Source: C:\Users\user\Desktop\Delivery note_241493.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\Delivery note_241493.exe |
Code function: 0_2_00401679 |
0_2_00401679 |
Source: C:\Users\user\Desktop\Delivery note_241493.exe |
Code function: 0_2_0040162C |
0_2_0040162C |
Source: C:\Users\user\Desktop\Delivery note_241493.exe |
Code function: 0_2_0040143D |
0_2_0040143D |
Source: C:\Users\user\Desktop\Delivery note_241493.exe |
Code function: 0_2_02B074AF |
0_2_02B074AF |
Source: C:\Users\user\Desktop\Delivery note_241493.exe |
Code function: 0_2_02B0524E |
0_2_02B0524E |
Source: C:\Users\user\Desktop\Delivery note_241493.exe |
Code function: 0_2_02B003C2 |
0_2_02B003C2 |
Source: C:\Users\user\Desktop\Delivery note_241493.exe |
Code function: 0_2_02B0516D |
0_2_02B0516D |
Source: C:\Users\user\Desktop\Delivery note_241493.exe |
File created: C:\Users\user~1\AppData\Local\Temp\~DF338A7E18907ED6EA.TMP |
Jump to behavior |
Source: Delivery note_241493.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Delivery note_241493.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\Delivery note_241493.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: classification engine |
Classification label: mal68.troj.evad.winEXE@1/0@0/0 |
Source: Yara match |
File source: 00000000.00000002.788395065.0000000002B00000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\Delivery note_241493.exe |
Code function: 0_2_00405C5C push edx; retf |
0_2_00405C6F |
Source: C:\Users\user\Desktop\Delivery note_241493.exe |
Code function: 0_2_00405E5F push esp; ret |
0_2_00405E60 |
Source: C:\Users\user\Desktop\Delivery note_241493.exe |
Code function: 0_2_00406809 pushad ; iretd |
0_2_0040681A |
Source: C:\Users\user\Desktop\Delivery note_241493.exe |
Code function: 0_2_00405A23 push cs; iretd |
0_2_00405ADA |
Source: C:\Users\user\Desktop\Delivery note_241493.exe |
Code function: 0_2_004038B9 push 4EA9091Fh; iretd |
0_2_004038BE |
Source: C:\Users\user\Desktop\Delivery note_241493.exe |
Code function: 0_2_00405376 pushad ; retf |
0_2_004053D4 |
Source: C:\Users\user\Desktop\Delivery note_241493.exe |
Code function: 0_2_00405376 push esi; ret |
0_2_004054C4 |
Source: C:\Users\user\Desktop\Delivery note_241493.exe |
Code function: 0_2_00406915 push edi; iretd |
0_2_00406917 |
Source: C:\Users\user\Desktop\Delivery note_241493.exe |
Code function: 0_2_004053D5 push esi; ret |
0_2_004054C4 |
Source: C:\Users\user\Desktop\Delivery note_241493.exe |
Code function: 0_2_02B028C8 push esp; iretd |
0_2_02B028CB |
Source: C:\Users\user\Desktop\Delivery note_241493.exe |
Code function: 0_2_02B010CB push ecx; retf |
0_2_02B010DB |
Source: C:\Users\user\Desktop\Delivery note_241493.exe |
Code function: 0_2_02B02834 push ebp; retf |
0_2_02B02838 |
Source: C:\Users\user\Desktop\Delivery note_241493.exe |
Code function: 0_2_02B02E35 pushad ; retn 0004h |
0_2_02B02E4E |
Source: C:\Users\user\Desktop\Delivery note_241493.exe |
Code function: 0_2_02B04BF1 push cs; retf |
0_2_02B04C36 |
Source: C:\Users\user\Desktop\Delivery note_241493.exe |
Code function: 0_2_02B04BE2 push cs; retf |
0_2_02B04C36 |
Source: C:\Users\user\Desktop\Delivery note_241493.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Delivery note_241493.exe |
RDTSC instruction interceptor: First address: 000000000040F270 second address: 000000000040F270 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 cmp ecx, 2Bh 0x00000008 popad 0x00000009 mfence 0x0000000c wait 0x0000000d dec edi 0x0000000e pushfd 0x0000000f popfd 0x00000010 nop 0x00000011 cmp edi, 00000000h 0x00000014 jne 00007F8D90FDCBEFh 0x00000016 lfence 0x00000019 cmp ecx, 000000FCh 0x0000001f pushad 0x00000020 nop 0x00000021 pushfd 0x00000022 popfd 0x00000023 rdtsc |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Delivery note_241493.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\Delivery note_241493.exe |
Code function: 0_2_02B09ED5 mov eax, dword ptr fs:[00000030h] |
0_2_02B09ED5 |
Source: C:\Users\user\Desktop\Delivery note_241493.exe |
Code function: 0_2_02B099E3 mov eax, dword ptr fs:[00000030h] |
0_2_02B099E3 |
Source: C:\Users\user\Desktop\Delivery note_241493.exe |
Code function: 0_2_02B06DEB mov eax, dword ptr fs:[00000030h] |
0_2_02B06DEB |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: Delivery note_241493.exe, 00000000.00000002.785681023.0000000000C50000.00000002.00020000.sdmp |
Binary or memory string: uProgram Manager |
Source: Delivery note_241493.exe, 00000000.00000002.785681023.0000000000C50000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: Delivery note_241493.exe, 00000000.00000002.785681023.0000000000C50000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: Delivery note_241493.exe, 00000000.00000002.785681023.0000000000C50000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |