Windows Analysis Report Delivery note_241493.exe

ID:	502122
Product:	CloudBasic
Start time:	16:18:08
Start date:	13.10.2021
Sample:	Delivery note_241493.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	ae27dccff11f1c8e17661269d90148b9
SHA1:	365138784e65ad92bc8f05653374348aa4e00788
SHA256:	dd739f42791b213769f242efac95b60d0026825d5c882d576533cd8ae57514b6
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Name	Type	MD5	SHA1	SHA256

AV Detection:

Found malware configuration

Source: 00000000.00000002.788395065.0000000002B00000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1kFeDtVEJdXDeWXxK="}

Compliance:

Uses 32bit PE files

Source: Delivery note_241493.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1kFeDtVEJdXDeWXxK=

System Summary:

Uses 32bit PE files

Source: Delivery note_241493.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Sample file is different than original file name gathered from version info

Source: Delivery note_241493.exe, 00000000.00000000.250683237.0000000000416000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameTains4.exe vs Delivery note_241493.exe
Source: Delivery note_241493.exe	Binary or memory string: OriginalFilenameTains4.exe vs Delivery note_241493.exe

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\Delivery note_241493.exe

Process Stats: CPU usage > 98%

Detected potential crypto function

Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_00401679		0_2_00401679
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_0040162C		0_2_0040162C
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_0040143D		0_2_0040143D
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_02B074AF		0_2_02B074AF
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_02B0524E		0_2_02B0524E
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_02B003C2		0_2_02B003C2
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_02B0516D		0_2_02B0516D

Creates temporary files

Source: C:\Users\user\Desktop\Delivery note_241493.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DF338A7E18907ED6EA.TMP

Jump to behavior

PE file has an executable .text section and no other executable section

Source: Delivery note_241493.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Users\user\Desktop\Delivery note_241493.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)

Source: C:\Users\user\Desktop\Delivery note_241493.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Classification label

Source: classification engine

Classification label: mal68.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.788395065.0000000002B00000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_00405C5C push edx; retf		0_2_00405C6F
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_00405E5F push esp; ret		0_2_00405E60
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_00406809 pushad ; iretd		0_2_0040681A
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_00405A23 push cs; iretd		0_2_00405ADA
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_004038B9 push 4EA9091Fh; iretd		0_2_004038BE
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_00405376 pushad ; retf		0_2_004053D4
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_00405376 push esi; ret		0_2_004054C4
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_00406915 push edi; iretd		0_2_00406917
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_004053D5 push esi; ret		0_2_004054C4
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_02B028C8 push esp; iretd		0_2_02B028CB
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_02B010CB push ecx; retf		0_2_02B010DB
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_02B02834 push ebp; retf		0_2_02B02838
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_02B02E35 pushad ; retn 0004h		0_2_02B02E4E
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_02B04BF1 push cs; retf		0_2_02B04C36
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_02B04BE2 push cs; retf		0_2_02B04C36

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\Delivery note_241493.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Delivery note_241493.exe

RDTSC instruction interceptor: First address: 000000000040F270 second address: 000000000040F270 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 cmp ecx, 2Bh 0x00000008 popad 0x00000009 mfence 0x0000000c wait 0x0000000d dec edi 0x0000000e pushfd 0x0000000f popfd 0x00000010 nop 0x00000011 cmp edi, 00000000h 0x00000014 jne 00007F8D90FDCBEFh 0x00000016 lfence 0x00000019 cmp ecx, 000000FCh 0x0000001f pushad 0x00000020 nop 0x00000021 pushfd 0x00000022 popfd 0x00000023 rdtsc

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\Delivery note_241493.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_02B09ED5 mov eax, dword ptr fs:[00000030h]		0_2_02B09ED5
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_02B099E3 mov eax, dword ptr fs:[00000030h]		0_2_02B099E3
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_02B06DEB mov eax, dword ptr fs:[00000030h]		0_2_02B06DEB

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Source: Delivery note_241493.exe, 00000000.00000002.785681023.0000000000C50000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: Delivery note_241493.exe, 00000000.00000002.785681023.0000000000C50000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Delivery note_241493.exe, 00000000.00000002.785681023.0000000000C50000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: Delivery note_241493.exe, 00000000.00000002.785681023.0000000000C50000.00000002.00020000.sdmp	Binary or memory string: Progmanlock