Windows Analysis Report Delivery note_241493.exe

ID:	502140
Product:	CloudBasic
Start time:	16:43:33
Start date:	13.10.2021
Sample:	Delivery note_241493.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	261b89797cb2864afeb6f968106b42c9
SHA1:	3a213afbd149f81b7727efa53f02a69bab52efed
SHA256:	7c8515b78f74b188965d84c98cfed02aee2d242c5365bc04a7690705c8b5c743
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Name	Type	MD5	SHA1	SHA256

AV Detection:

Found malware configuration

Source: 00000000.00000002.1184760002.0000000000670000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download1"}

Compliance:

Uses 32bit PE files

Source: Delivery note_241493.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download1

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: Delivery note_241493.exe, 00000000.00000002.1184780962.00000000006CA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Uses 32bit PE files

Source: Delivery note_241493.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_006775A8 NtAllocateVirtualMemory,		0_2_006775A8
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_006776AC NtAllocateVirtualMemory,		0_2_006776AC
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_006775CA NtAllocateVirtualMemory,		0_2_006775CA

Sample file is different than original file name gathered from version info

Source: Delivery note_241493.exe, 00000000.00000002.1184703081.0000000000416000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameFAIRIES.exe vs Delivery note_241493.exe
Source: Delivery note_241493.exe	Binary or memory string: OriginalFilenameFAIRIES.exe vs Delivery note_241493.exe

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\Delivery note_241493.exe

Process Stats: CPU usage > 98%

Detected potential crypto function

Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_00401676		0_2_00401676
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_00401629		0_2_00401629
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_0040143A		0_2_0040143A
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_006775A8		0_2_006775A8
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_00675C7C		0_2_00675C7C
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_00675E40		0_2_00675E40
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_00675E5C		0_2_00675E5C
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_00675632		0_2_00675632
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_0067A2EA		0_2_0067A2EA
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_006760C0		0_2_006760C0
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_00679CB1		0_2_00679CB1
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_006758B0		0_2_006758B0
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_00675946		0_2_00675946
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_00675754		0_2_00675754
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_0067552A		0_2_0067552A
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_00675D34		0_2_00675D34
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_00675B10		0_2_00675B10
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_006757ED		0_2_006757ED
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_006759F4		0_2_006759F4
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_006761F8		0_2_006761F8
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_006775CA		0_2_006775CA
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_006773AE		0_2_006773AE
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_006751AB		0_2_006751AB
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_00675F95		0_2_00675F95
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_0067A790		0_2_0067A790

Creates temporary files

Source: C:\Users\user\Desktop\Delivery note_241493.exe

File created: C:\Users\user\AppData\Local\Temp\~DF413C19EF49B79C40.TMP

Jump to behavior

PE file has an executable .text section and no other executable section

Source: Delivery note_241493.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Users\user\Desktop\Delivery note_241493.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)

Source: C:\Users\user\Desktop\Delivery note_241493.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Classification label

Source: classification engine

Classification label: mal68.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.1184760002.0000000000670000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_004038DA push edx; iretd		0_2_004038E4
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_00406180 pushad ; iretd		0_2_00406183
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_00672474 push esp; retf		0_2_00672475
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_00670030 push FFFFFFB9h; retf		0_2_0067003B
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_006700A9 push FFFFFFB9h; retf		0_2_006700B4
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_00672D3A push 8160CB0Fh; ret		0_2_00672D3F
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_006739D7 push ebx; ret		0_2_006739FC

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\Delivery note_241493.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Delivery note_241493.exe

RDTSC instruction interceptor: First address: 000000000040EEE2 second address: 000000000040EEE2 instructions: 0x00000000 rdtsc 0x00000002 cmp ecx, 0Ch 0x00000005 lfence 0x00000008 popad 0x00000009 pushfd 0x0000000a popfd 0x0000000b mfence 0x0000000e dec edi 0x0000000f lfence 0x00000012 mfence 0x00000015 cmp edi, 00000000h 0x00000018 jne 00007F3D1038ADEDh 0x0000001a cmp ecx, 4Fh 0x0000001d nop 0x0000001e pushad 0x0000001f cmp ecx, 5Eh 0x00000022 lfence 0x00000025 rdtsc

Source: C:\Users\user\Desktop\Delivery note_241493.exe

RDTSC instruction interceptor: First address: 0000000000676E36 second address: 0000000000676E36 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 02C2A606h 0x00000007 xor eax, 62F310FBh 0x0000000c add eax, C22699E6h 0x00000011 sub eax, 225850E2h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F3D10DEA132h 0x0000001e lfence 0x00000021 mov edx, 52A2A891h 0x00000026 xor edx, CAF5852Ah 0x0000002c sub edx, 98676D53h 0x00000032 xor edx, 8011C07Ch 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 test ch, ch 0x00000044 add edi, edx 0x00000046 dec ecx 0x00000047 mov dword ptr [ebp+00000204h], CD390659h 0x00000051 xor dword ptr [ebp+00000204h], 08E2B84Bh 0x0000005b xor dword ptr [ebp+00000204h], 98C0C551h 0x00000065 cmp cl, dl 0x00000067 add dword ptr [ebp+00000204h], A2E484BDh 0x00000071 cmp ecx, dword ptr [ebp+00000204h] 0x00000077 jne 00007F3D10DEA0D6h 0x00000079 mov dword ptr [ebp+000001D4h], eax 0x0000007f mov eax, ecx 0x00000081 push eax 0x00000082 mov eax, dword ptr [ebp+000001D4h] 0x00000088 call 00007F3D10DEA1D5h 0x0000008d call 00007F3D10DEA153h 0x00000092 lfence 0x00000095 mov edx, 52A2A891h 0x0000009a xor edx, CAF5852Ah 0x000000a0 sub edx, 98676D53h 0x000000a6 xor edx, 8011C07Ch 0x000000ac mov edx, dword ptr [edx] 0x000000ae lfence 0x000000b1 ret 0x000000b2 mov esi, edx 0x000000b4 pushad 0x000000b5 rdtsc

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Delivery note_241493.exe

Code function: 0_2_00676E2E rdtsc

0_2_00676E2E

Contains functionality to detect virtual machines (SLDT)

Source: C:\Users\user\Desktop\Delivery note_241493.exe

Code function: 0_2_0067209D sldt word ptr [eax]

0_2_0067209D

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\Delivery note_241493.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_00676C70 mov eax, dword ptr fs:[00000030h]		0_2_00676C70
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_00679685 mov eax, dword ptr fs:[00000030h]		0_2_00679685
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_00679B87 mov eax, dword ptr fs:[00000030h]		0_2_00679B87
Source: C:\Users\user\Desktop\Delivery note_241493.exe	Code function: 0_2_0067A790 mov eax, dword ptr fs:[00000030h]		0_2_0067A790

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Delivery note_241493.exe

Code function: 0_2_00676E2E rdtsc

0_2_00676E2E

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Source: Delivery note_241493.exe, 00000000.00000002.1185199037.0000000000E50000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: Delivery note_241493.exe, 00000000.00000002.1185199037.0000000000E50000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Delivery note_241493.exe, 00000000.00000002.1185199037.0000000000E50000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: Delivery note_241493.exe, 00000000.00000002.1185199037.0000000000E50000.00000002.00020000.sdmp	Binary or memory string: Progmanlock