Windows Analysis Report ZAM#U00d3WIENIE.exe

Overview

General Information

Sample Name: ZAM#U00d3WIENIE.exe
Analysis ID: 502209
MD5: 4805bfc9145d8aa3ac43d1cc29c451ed
SHA1: 7787fa250b35d1a67142d230cbedbc357eb8cb9c
SHA256: bac5da263610272c5c5be4ecb5a16626c653a757abaffc8402d210227ec04bb8
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected GuLoader
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Contains functionality to call native functions
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Program does not show much activity (idle)
Uses code obfuscation techniques (call, push, ret)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Detected potential crypto function

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.772210295.00000000021D0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downloa"}

Compliance:

barindex
Uses 32bit PE files
Source: ZAM#U00d3WIENIE.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=downloa

System Summary:

barindex
Uses 32bit PE files
Source: ZAM#U00d3WIENIE.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains functionality to call native functions
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D7A18 NtAllocateVirtualMemory, 0_2_021D7A18
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D7AB7 NtAllocateVirtualMemory, 0_2_021D7AB7
Sample file is different than original file name gathered from version info
Source: ZAM#U00d3WIENIE.exe, 00000000.00000002.771912024.0000000000416000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamefamiliegruppers.exe vs ZAM#U00d3WIENIE.exe
Source: ZAM#U00d3WIENIE.exe Binary or memory string: OriginalFilenamefamiliegruppers.exe vs ZAM#U00d3WIENIE.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_0040167A 0_2_0040167A
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_0040162D 0_2_0040162D
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_0040143E 0_2_0040143E
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D7A18 0_2_021D7A18
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021DBDB9 0_2_021DBDB9
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D5A37 0_2_021D5A37
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D6233 0_2_021D6233
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D7E75 0_2_021D7E75
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D5E6E 0_2_021D5E6E
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D7EA0 0_2_021D7EA0
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D66F2 0_2_021D66F2
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D9F0C 0_2_021D9F0C
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021DAB24 0_2_021DAB24
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D5B5F 0_2_021D5B5F
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D7F4C 0_2_021D7F4C
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D634E 0_2_021D634E
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D5FB1 0_2_021D5FB1
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D042E 0_2_021D042E
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D8022 0_2_021D8022
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D5C6B 0_2_021D5C6B
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D609E 0_2_021D609E
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D588B 0_2_021D588B
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D64A0 0_2_021D64A0
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D64E5 0_2_021D64E5
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D8113 0_2_021D8113
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D5909 0_2_021D5909
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D5505 0_2_021D5505
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D6104 0_2_021D6104
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D5D65 0_2_021D5D65
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D659E 0_2_021D659E
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D5597 0_2_021D5597
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe File created: C:\Users\user\AppData\Local\Temp\~DF737D484AB8F1AB01.TMP Jump to behavior
Source: ZAM#U00d3WIENIE.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: classification engine Classification label: mal68.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.772210295.00000000021D0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_00402E52 push esi; ret 0_2_00402E53
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_00405E3D pushfd ; retf 0_2_00405E3E
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_00402ECA push esi; ret 0_2_00402ECB
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_00402EFC push ss; ret 0_2_00402EFD
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_00402E84 push ss; ret 0_2_00402E85
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_00403CBF push ebp; retf 0_2_00403CCB
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D6A51 push ecx; iretd 0_2_021D90A4
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D6A9A push ecx; iretd 0_2_021D90A4
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D6AC0 push ecx; iretd 0_2_021D90A4
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D2EE5 push edx; iretd 0_2_021D92BC
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D0B53 push FFFFFF98h; iretd 0_2_021D0B56
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021DA371 push ecx; ret 0_2_021DA372
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021DA383 push ecx; ret 0_2_021DA384
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D902A push ecx; iretd 0_2_021D90A4
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D9047 push 3966FF69h; retf 0_2_021D909D
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D38C2 push ebx; ret 0_2_021D38D4
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D7DAF push 38E68469h; ret 0_2_021D7E05
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe RDTSC instruction interceptor: First address: 000000000040F508 second address: 000000000040F508 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 popfd 0x00000004 cmp ecx, 000000F6h 0x0000000a popad 0x0000000b wait 0x0000000c cmp eax, 5Bh 0x0000000f dec edi 0x00000010 mfence 0x00000013 nop 0x00000014 cmp edi, 00000000h 0x00000017 jne 00007F931C9628C0h 0x00000019 mfence 0x0000001c pushfd 0x0000001d popfd 0x0000001e pushad 0x0000001f pushfd 0x00000020 popfd 0x00000021 nop 0x00000022 rdtsc
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D7293 rdtsc 0_2_021D7293

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D9AF1 mov eax, dword ptr fs:[00000030h] 0_2_021D9AF1
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021DA05D mov eax, dword ptr fs:[00000030h] 0_2_021DA05D
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D70B2 mov eax, dword ptr fs:[00000030h] 0_2_021D70B2
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021D7293 rdtsc 0_2_021D7293
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe Code function: 0_2_021DBDB9 RtlAddVectoredExceptionHandler, 0_2_021DBDB9
Source: ZAM#U00d3WIENIE.exe, 00000000.00000002.772116138.0000000000CC0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: ZAM#U00d3WIENIE.exe, 00000000.00000002.772116138.0000000000CC0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: ZAM#U00d3WIENIE.exe, 00000000.00000002.772116138.0000000000CC0000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: ZAM#U00d3WIENIE.exe, 00000000.00000002.772116138.0000000000CC0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: ZAM#U00d3WIENIE.exe, 00000000.00000002.772116138.0000000000CC0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 502209 Sample: ZAM#U00d3WIENIE.exe Startdate: 13/10/2021 Architecture: WINDOWS Score: 68 8 Found malware configuration 2->8 10 Yara detected GuLoader 2->10 12 C2 URLs / IPs found in malware configuration 2->12 5 ZAM#U00d3WIENIE.exe 1 2->5         started        process3 signatures4 14 Found potential dummy code loops (likely to delay analysis) 5->14 16 Tries to detect virtualization through RDTSC time measurements 5->16
No contacted IP infos