{"Payload URL": "https://drive.google.com/uc?export=downloa"}
Source: 00000000.00000002.772210295.00000000021D0000.00000040.00000001.sdmp | Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downloa"} |
Source: ZAM#U00d3WIENIE.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor | URLs: https://drive.google.com/uc?export=downloa |
Source: ZAM#U00d3WIENIE.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D7A18 NtAllocateVirtualMemory, |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D7AB7 NtAllocateVirtualMemory, |
Source: ZAM#U00d3WIENIE.exe, 00000000.00000002.771912024.0000000000416000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenamefamiliegruppers.exe vs ZAM#U00d3WIENIE.exe |
Source: ZAM#U00d3WIENIE.exe | Binary or memory string: OriginalFilenamefamiliegruppers.exe vs ZAM#U00d3WIENIE.exe |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_0040167A |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_0040162D |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_0040143E |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D7A18 |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021DBDB9 |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D5A37 |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D6233 |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D7E75 |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D5E6E |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D7EA0 |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D66F2 |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D9F0C |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021DAB24 |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D5B5F |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D7F4C |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D634E |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D5FB1 |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D042E |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D8022 |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D5C6B |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D609E |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D588B |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D64A0 |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D64E5 |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D8113 |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D5909 |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D5505 |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D6104 |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D5D65 |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D659E |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D5597 |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | File created: C:\Users\user\AppData\Local\Temp\~DF737D484AB8F1AB01.TMP | Jump to behavior |
Source: ZAM#U00d3WIENIE.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Source: classification engine | Classification label: mal68.troj.evad.winEXE@1/0@0/0 |
Source: Yara match | File source: 00000000.00000002.772210295.00000000021D0000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_00402E52 push esi; ret |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_00405E3D pushfd ; retf |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_00402ECA push esi; ret |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_00402EFC push ss; ret |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_00402E84 push ss; ret |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_00403CBF push ebp; retf |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D6A51 push ecx; iretd |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D6A9A push ecx; iretd |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D6AC0 push ecx; iretd |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D2EE5 push edx; iretd |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D0B53 push FFFFFF98h; iretd |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021DA371 push ecx; ret |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021DA383 push ecx; ret |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D902A push ecx; iretd |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D9047 push 3966FF69h; retf |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D38C2 push ebx; ret |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D7DAF push 38E68469h; ret |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | RDTSC instruction interceptor: First address: 000000000040F508 second address: 000000000040F508 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 popfd 0x00000004 cmp ecx, 000000F6h 0x0000000a popad 0x0000000b wait 0x0000000c cmp eax, 5Bh 0x0000000f dec edi 0x00000010 mfence 0x00000013 nop 0x00000014 cmp edi, 00000000h 0x00000017 jne 00007F931C9628C0h 0x00000019 mfence 0x0000001c pushfd 0x0000001d popfd 0x0000001e pushad 0x0000001f pushfd 0x00000020 popfd 0x00000021 nop 0x00000022 rdtsc |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D7293 rdtsc |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D9AF1 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021DA05D mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D70B2 mov eax, dword ptr fs:[00000030h] |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021D7293 rdtsc |
Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe | Code function: 0_2_021DBDB9 RtlAddVectoredExceptionHandler, |
Source: ZAM#U00d3WIENIE.exe, 00000000.00000002.772116138.0000000000CC0000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd |
Source: ZAM#U00d3WIENIE.exe, 00000000.00000002.772116138.0000000000CC0000.00000002.00020000.sdmp | Binary or memory string: Progman |
Source: ZAM#U00d3WIENIE.exe, 00000000.00000002.772116138.0000000000CC0000.00000002.00020000.sdmp | Binary or memory string: SProgram Managerl |
Source: ZAM#U00d3WIENIE.exe, 00000000.00000002.772116138.0000000000CC0000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd, |
Source: ZAM#U00d3WIENIE.exe, 00000000.00000002.772116138.0000000000CC0000.00000002.00020000.sdmp | Binary or memory string: Progmanlock |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.