Source: Contract and PI of 1500W.exe |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downl"} |
Source: Contract and PI of 1500W.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 4x nop then fsincos |
1_2_004022C3 |
Source: Malware configuration extractor |
URLs: https://drive.google.com/uc?export=downl |
Source: initial sample |
Icon embedded in PE file: bad icon match: 20047c7c70f0e004 |
Source: Contract and PI of 1500W.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_020C7F56 NtAllocateVirtualMemory, |
1_2_020C7F56 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_020C8004 NtAllocateVirtualMemory, |
1_2_020C8004 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_020C7F52 NtAllocateVirtualMemory, |
1_2_020C7F52 |
Source: Contract and PI of 1500W.exe, 00000001.00000002.809579266.000000000041C000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameFocalisi.exe vs Contract and PI of 1500W.exe |
Source: Contract and PI of 1500W.exe, 00000001.00000002.810458713.0000000002920000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameFocalisi.exeFE2X vs Contract and PI of 1500W.exe |
Source: Contract and PI of 1500W.exe |
Binary or memory string: OriginalFilenameFocalisi.exe vs Contract and PI of 1500W.exe |
Source: Contract and PI of 1500W.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_004022C3 |
1_2_004022C3 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_00403249 |
1_2_00403249 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_004032CA |
1_2_004032CA |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_004031E2 |
1_2_004031E2 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_020C7F56 |
1_2_020C7F56 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_020C60BB |
1_2_020C60BB |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_020CA8D9 |
1_2_020CA8D9 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_020C60E8 |
1_2_020C60E8 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_020C6946 |
1_2_020C6946 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_020C7F52 |
1_2_020C7F52 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_020C5D7F |
1_2_020C5D7F |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_020C6D7A |
1_2_020C6D7A |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_020C81AE |
1_2_020C81AE |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_020C5DC2 |
1_2_020C5DC2 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_020C65C2 |
1_2_020C65C2 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_020C61D8 |
1_2_020C61D8 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_020C69D8 |
1_2_020C69D8 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_020CA9ED |
1_2_020CA9ED |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_020C7DF8 |
1_2_020C7DF8 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_020C01F6 |
1_2_020C01F6 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: String function: 0040177E appears 94 times |
|
Source: Contract and PI of 1500W.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: classification engine |
Classification label: mal72.rans.troj.evad.winEXE@1/0@0/0 |
Source: Yara match |
File source: 00000001.00000002.810237307.00000000020C0000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_0040205A push cs; retf |
1_2_004020FD |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_0040705F push edi; retf |
1_2_004071E8 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_00408200 push FF3F4922h; retf |
1_2_00408205 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_00406C0D pushad ; iretd |
1_2_00406C1B |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_00407145 push edi; retf |
1_2_004071E8 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_0040630D pushfd ; ret |
1_2_00406318 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_004059F3 push esi; iretd |
1_2_004059F7 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_020C547A push esp; ret |
1_2_020C547B |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_020C18E3 push esi; retf |
1_2_020C18E6 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_020C4B15 push ebp; ret |
1_2_020C4B18 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_020C1740 pushfd ; retf |
1_2_020C1841 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_020C71BF push eax; ret |
1_2_020C71C0 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_020C3DD5 push ss; ret |
1_2_020C3DD9 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_020C7C0D rdtsc |
1_2_020C7C0D |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_004022C3 mov ebx, dword ptr fs:[00000030h] |
1_2_004022C3 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_004031E2 mov ebx, dword ptr fs:[00000030h] |
1_2_004031E2 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_020C9B0D mov eax, dword ptr fs:[00000030h] |
1_2_020C9B0D |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_020C9F4A mov eax, dword ptr fs:[00000030h] |
1_2_020C9F4A |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_020CA9ED mov eax, dword ptr fs:[00000030h] |
1_2_020CA9ED |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_020C77E5 mov eax, dword ptr fs:[00000030h] |
1_2_020C77E5 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe |
Code function: 1_2_020C7C0D rdtsc |
1_2_020C7C0D |
Source: Contract and PI of 1500W.exe, 00000001.00000002.809904221.0000000000C60000.00000002.00020000.sdmp |
Binary or memory string: Program Manager |
Source: Contract and PI of 1500W.exe, 00000001.00000002.809904221.0000000000C60000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: Contract and PI of 1500W.exe, 00000001.00000002.809904221.0000000000C60000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: Contract and PI of 1500W.exe, 00000001.00000002.809904221.0000000000C60000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |