{"Payload URL": "https://drive.google.com/uc?export=download1"}
Source: 00000000.00000002.1184760002.0000000000670000.00000040.00000001.sdmp | Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download1"} |
Source: Delivery note_241493.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor | URLs: https://drive.google.com/uc?export=download1 |
Source: Delivery note_241493.exe, 00000000.00000002.1184780962.00000000006CA000.00000004.00000020.sdmp | Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
Source: Delivery note_241493.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_006775A8 NtAllocateVirtualMemory, |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_006776AC NtAllocateVirtualMemory, |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_006775CA NtAllocateVirtualMemory, |
Source: Delivery note_241493.exe, 00000000.00000002.1184703081.0000000000416000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameFAIRIES.exe vs Delivery note_241493.exe |
Source: Delivery note_241493.exe | Binary or memory string: OriginalFilenameFAIRIES.exe vs Delivery note_241493.exe |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_00401676 |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_00401629 |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_0040143A |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_006775A8 |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_00675C7C |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_00675E40 |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_00675E5C |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_00675632 |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_0067A2EA |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_006760C0 |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_00679CB1 |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_006758B0 |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_00675946 |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_00675754 |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_0067552A |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_00675D34 |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_00675B10 |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_006757ED |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_006759F4 |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_006761F8 |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_006775CA |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_006773AE |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_006751AB |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_00675F95 |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_0067A790 |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | File created: C:\Users\user\AppData\Local\Temp\~DF413C19EF49B79C40.TMP | Jump to behavior |
Source: Delivery note_241493.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Source: classification engine | Classification label: mal68.troj.evad.winEXE@1/0@0/0 |
Source: Yara match | File source: 00000000.00000002.1184760002.0000000000670000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_004038DA push edx; iretd |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_00406180 pushad ; iretd |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_00672474 push esp; retf |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_00670030 push FFFFFFB9h; retf |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_006700A9 push FFFFFFB9h; retf |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_00672D3A push 8160CB0Fh; ret |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_006739D7 push ebx; ret |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | RDTSC instruction interceptor: First address: 000000000040EEE2 second address: 000000000040EEE2 instructions: 0x00000000 rdtsc 0x00000002 cmp ecx, 0Ch 0x00000005 lfence 0x00000008 popad 0x00000009 pushfd 0x0000000a popfd 0x0000000b mfence 0x0000000e dec edi 0x0000000f lfence 0x00000012 mfence 0x00000015 cmp edi, 00000000h 0x00000018 jne 00007F3D1038ADEDh 0x0000001a cmp ecx, 4Fh 0x0000001d nop 0x0000001e pushad 0x0000001f cmp ecx, 5Eh 0x00000022 lfence 0x00000025 rdtsc |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | RDTSC instruction interceptor: First address: 0000000000676E36 second address: 0000000000676E36 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 02C2A606h 0x00000007 xor eax, 62F310FBh 0x0000000c add eax, C22699E6h 0x00000011 sub eax, 225850E2h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F3D10DEA132h 0x0000001e lfence 0x00000021 mov edx, 52A2A891h 0x00000026 xor edx, CAF5852Ah 0x0000002c sub edx, 98676D53h 0x00000032 xor edx, 8011C07Ch 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 test ch, ch 0x00000044 add edi, edx 0x00000046 dec ecx 0x00000047 mov dword ptr [ebp+00000204h], CD390659h 0x00000051 xor dword ptr [ebp+00000204h], 08E2B84Bh 0x0000005b xor dword ptr [ebp+00000204h], 98C0C551h 0x00000065 cmp cl, dl 0x00000067 add dword ptr [ebp+00000204h], A2E484BDh 0x00000071 cmp ecx, dword ptr [ebp+00000204h] 0x00000077 jne 00007F3D10DEA0D6h 0x00000079 mov dword ptr [ebp+000001D4h], eax 0x0000007f mov eax, ecx 0x00000081 push eax 0x00000082 mov eax, dword ptr [ebp+000001D4h] 0x00000088 call 00007F3D10DEA1D5h 0x0000008d call 00007F3D10DEA153h 0x00000092 lfence 0x00000095 mov edx, 52A2A891h 0x0000009a xor edx, CAF5852Ah 0x000000a0 sub edx, 98676D53h 0x000000a6 xor edx, 8011C07Ch 0x000000ac mov edx, dword ptr [edx] 0x000000ae lfence 0x000000b1 ret 0x000000b2 mov esi, edx 0x000000b4 pushad 0x000000b5 rdtsc |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_00676E2E rdtsc |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_0067209D sldt word ptr [eax] |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_00676C70 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_00679685 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_00679B87 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_0067A790 mov eax, dword ptr fs:[00000030h] |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Delivery note_241493.exe | Code function: 0_2_00676E2E rdtsc |
Source: Delivery note_241493.exe, 00000000.00000002.1185199037.0000000000E50000.00000002.00020000.sdmp | Binary or memory string: Program Manager |
Source: Delivery note_241493.exe, 00000000.00000002.1185199037.0000000000E50000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd |
Source: Delivery note_241493.exe, 00000000.00000002.1185199037.0000000000E50000.00000002.00020000.sdmp | Binary or memory string: Progman |
Source: Delivery note_241493.exe, 00000000.00000002.1185199037.0000000000E50000.00000002.00020000.sdmp | Binary or memory string: Progmanlock |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.