Source: 00000000.00000002.778170637.00000000021D0000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?expordD|"} |
Source: PEDIDO.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://drive.google.com/uc?expordD| |
Source: PEDIDO.exe, 00000000.00000002.775910735.000000000079A000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: PEDIDO.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D754D NtAllocateVirtualMemory, |
0_2_021D754D |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D7685 NtAllocateVirtualMemory, |
0_2_021D7685 |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D7500 NtAllocateVirtualMemory, |
0_2_021D7500 |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D75B8 NtAllocateVirtualMemory, |
0_2_021D75B8 |
Source: PEDIDO.exe, 00000000.00000002.775473557.0000000000416000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameSkovslotte5.exe vs PEDIDO.exe |
Source: PEDIDO.exe |
Binary or memory string: OriginalFilenameSkovslotte5.exe vs PEDIDO.exe |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_00401441 |
0_2_00401441 |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_0040167D |
0_2_0040167D |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_00401630 |
0_2_00401630 |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021DB8DA |
0_2_021DB8DA |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D754D |
0_2_021D754D |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D5814 |
0_2_021D5814 |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D7A10 |
0_2_021D7A10 |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D7C39 |
0_2_021D7C39 |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D6068 |
0_2_021D6068 |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021DA48D |
0_2_021DA48D |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D5A83 |
0_2_021D5A83 |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D5CBC |
0_2_021D5CBC |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D62B0 |
0_2_021D62B0 |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D54DB |
0_2_021D54DB |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D9ED7 |
0_2_021D9ED7 |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D6EC8 |
0_2_021D6EC8 |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D56FC |
0_2_021D56FC |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D7B1C |
0_2_021D7B1C |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D7D1B |
0_2_021D7D1B |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D6F08 |
0_2_021D6F08 |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D5F07 |
0_2_021D5F07 |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D7500 |
0_2_021D7500 |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D5B38 |
0_2_021D5B38 |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021DA941 |
0_2_021DA941 |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D7342 |
0_2_021D7342 |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D5167 |
0_2_021D5167 |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D5B94 |
0_2_021D5B94 |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021DA7BC |
0_2_021DA7BC |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D15B1 |
0_2_021D15B1 |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D51B1 |
0_2_021D51B1 |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D79A0 |
0_2_021D79A0 |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D59D5 |
0_2_021D59D5 |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D7BF4 |
0_2_021D7BF4 |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D5DF0 |
0_2_021D5DF0 |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D67E9 |
0_2_021D67E9 |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D55E0 |
0_2_021D55E0 |
Source: C:\Users\user\Desktop\PEDIDO.exe |
File created: C:\Users\user~1\AppData\Local\Temp\~DFA503C7990D69B3B8.TMP |
Jump to behavior |
Source: PEDIDO.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: classification engine |
Classification label: mal68.troj.evad.winEXE@1/0@0/0 |
Source: Yara match |
File source: 00000000.00000002.778170637.00000000021D0000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_00406171 push ds; ret |
0_2_00406172 |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D0678 push ecx; iretd |
0_2_021D0680 |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D24A4 push ebx; retf |
0_2_021D24A5 |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D1728 push ecx; iretd |
0_2_021D18BD |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D8B9E push es; iretd |
0_2_021D8B9F |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D15B1 push ecx; iretd |
0_2_021D18BD |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D17C4 push ecx; iretd |
0_2_021D18BD |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PEDIDO.exe |
RDTSC instruction interceptor: First address: 000000000040F011 second address: 000000000040F011 instructions: 0x00000000 rdtsc 0x00000002 wait 0x00000003 mfence 0x00000006 popad 0x00000007 nop 0x00000008 nop 0x00000009 dec edi 0x0000000a mfence 0x0000000d cmp ecx, 000000D9h 0x00000013 cmp edi, 00000000h 0x00000016 jne 00007F6A04DFC4ABh 0x00000018 pushfd 0x00000019 popfd 0x0000001a cmp eax, 3Eh 0x0000001d pushad 0x0000001e lfence 0x00000021 cmp ecx, 00000096h 0x00000027 rdtsc |
Source: C:\Users\user\Desktop\PEDIDO.exe |
RDTSC instruction interceptor: First address: 00000000021D6E81 second address: 00000000021D6E81 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 22DB5954h 0x00000007 xor eax, 441A9EA9h 0x0000000c sub eax, 6FF07AD2h 0x00000011 xor eax, F6D14D2Ah 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F6A04394AB8h 0x0000001e lfence 0x00000021 mov edx, 46F988CAh 0x00000026 xor edx, 81718B2Dh 0x0000002c xor edx, 9D47D208h 0x00000032 xor edx, 2531D1FBh 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 cmp dx, cx 0x00000044 pop ecx 0x00000045 add edi, edx 0x00000047 dec ecx 0x00000048 mov dword ptr [ebp+0000019Eh], edi 0x0000004e mov edi, 702D4F49h 0x00000053 cmp edx, ecx 0x00000055 add edi, 87EB9CDBh 0x0000005b sub edi, 175830E3h 0x00000061 add edi, 1F3F44BFh 0x00000067 cmp ecx, edi 0x00000069 mov edi, dword ptr [ebp+0000019Eh] 0x0000006f jne 00007F6A04394A6Ch 0x00000071 mov dword ptr [ebp+000001CFh], eax 0x00000077 mov eax, ecx 0x00000079 test dl, cl 0x0000007b push eax 0x0000007c mov eax, dword ptr [ebp+000001CFh] 0x00000082 call 00007F6A04394B7Fh 0x00000087 call 00007F6A04394AD9h 0x0000008c lfence 0x0000008f mov edx, 46F988CAh 0x00000094 xor edx, 81718B2Dh 0x0000009a xor edx, 9D47D208h 0x000000a0 xor edx, 2531D1FBh 0x000000a6 mov edx, dword ptr [edx] 0x000000a8 lfence 0x000000ab ret 0x000000ac mov esi, edx 0x000000ae pushad 0x000000af rdtsc |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D6E18 rdtsc |
0_2_021D6E18 |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D980C mov eax, dword ptr fs:[00000030h] |
0_2_021D980C |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D6CBF mov eax, dword ptr fs:[00000030h] |
0_2_021D6CBF |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D9D56 mov eax, dword ptr fs:[00000030h] |
0_2_021D9D56 |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021DA941 mov eax, dword ptr fs:[00000030h] |
0_2_021DA941 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021D6E18 rdtsc |
0_2_021D6E18 |
Source: C:\Users\user\Desktop\PEDIDO.exe |
Code function: 0_2_021DB8DA RtlAddVectoredExceptionHandler, |
0_2_021DB8DA |
Source: PEDIDO.exe, 00000000.00000002.777397061.0000000000D20000.00000002.00020000.sdmp |
Binary or memory string: uProgram Manager |
Source: PEDIDO.exe, 00000000.00000002.777397061.0000000000D20000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: PEDIDO.exe, 00000000.00000002.777397061.0000000000D20000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: PEDIDO.exe, 00000000.00000002.777397061.0000000000D20000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |