Windows Analysis Report Contract and PI of 1500W.exe

Overview

General Information

Sample Name: Contract and PI of 1500W.exe
Analysis ID: 502545
MD5: dbceab5b0f79168ffea64f16bf7f1263
SHA1: c5c25d75233ea8523111b1f964fbd482be973cd7
SHA256: 7d6174dce4980e71b083ae63d3b165b50b20855edb40ffa10a06a8e46e765cab
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Potential malicious icon found
Yara detected GuLoader
Found potential dummy code loops (likely to delay analysis)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Found inlined nop instructions (likely shell or obfuscated code)
Contains functionality to call native functions
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Program does not show much activity (idle)
Uses code obfuscation techniques (call, push, ret)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Detected potential crypto function
Found potential string decryption / allocating functions

Classification

AV Detection:

barindex
Found malware configuration
Source: Contract and PI of 1500W.exe Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downl"}

Compliance:

barindex
Uses 32bit PE files
Source: Contract and PI of 1500W.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 4x nop then fsincos 1_2_004022C3

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=downl

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Uses 32bit PE files
Source: Contract and PI of 1500W.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_020C7F56 NtAllocateVirtualMemory, 1_2_020C7F56
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_020C8004 NtAllocateVirtualMemory, 1_2_020C8004
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_020C7F52 NtAllocateVirtualMemory, 1_2_020C7F52
Sample file is different than original file name gathered from version info
Source: Contract and PI of 1500W.exe, 00000001.00000002.809579266.000000000041C000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameFocalisi.exe vs Contract and PI of 1500W.exe
Source: Contract and PI of 1500W.exe, 00000001.00000002.810458713.0000000002920000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameFocalisi.exeFE2X vs Contract and PI of 1500W.exe
Source: Contract and PI of 1500W.exe Binary or memory string: OriginalFilenameFocalisi.exe vs Contract and PI of 1500W.exe
PE file contains strange resources
Source: Contract and PI of 1500W.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_004022C3 1_2_004022C3
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_00403249 1_2_00403249
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_004032CA 1_2_004032CA
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_004031E2 1_2_004031E2
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_020C7F56 1_2_020C7F56
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_020C60BB 1_2_020C60BB
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_020CA8D9 1_2_020CA8D9
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_020C60E8 1_2_020C60E8
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_020C6946 1_2_020C6946
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_020C7F52 1_2_020C7F52
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_020C5D7F 1_2_020C5D7F
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_020C6D7A 1_2_020C6D7A
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_020C81AE 1_2_020C81AE
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_020C5DC2 1_2_020C5DC2
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_020C65C2 1_2_020C65C2
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_020C61D8 1_2_020C61D8
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_020C69D8 1_2_020C69D8
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_020CA9ED 1_2_020CA9ED
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_020C7DF8 1_2_020C7DF8
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_020C01F6 1_2_020C01F6
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: String function: 0040177E appears 94 times
Source: Contract and PI of 1500W.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: classification engine Classification label: mal72.rans.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.810237307.00000000020C0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_0040205A push cs; retf 1_2_004020FD
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_0040705F push edi; retf 1_2_004071E8
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_00408200 push FF3F4922h; retf 1_2_00408205
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_00406C0D pushad ; iretd 1_2_00406C1B
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_00407145 push edi; retf 1_2_004071E8
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_0040630D pushfd ; ret 1_2_00406318
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_004059F3 push esi; iretd 1_2_004059F7
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_020C547A push esp; ret 1_2_020C547B
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_020C18E3 push esi; retf 1_2_020C18E6
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_020C4B15 push ebp; ret 1_2_020C4B18
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_020C1740 pushfd ; retf 1_2_020C1841
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_020C71BF push eax; ret 1_2_020C71C0
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_020C3DD5 push ss; ret 1_2_020C3DD9
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_020C7C0D rdtsc 1_2_020C7C0D

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_004022C3 mov ebx, dword ptr fs:[00000030h] 1_2_004022C3
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_004031E2 mov ebx, dword ptr fs:[00000030h] 1_2_004031E2
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_020C9B0D mov eax, dword ptr fs:[00000030h] 1_2_020C9B0D
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_020C9F4A mov eax, dword ptr fs:[00000030h] 1_2_020C9F4A
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_020CA9ED mov eax, dword ptr fs:[00000030h] 1_2_020CA9ED
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_020C77E5 mov eax, dword ptr fs:[00000030h] 1_2_020C77E5
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe Code function: 1_2_020C7C0D rdtsc 1_2_020C7C0D
Source: Contract and PI of 1500W.exe, 00000001.00000002.809904221.0000000000C60000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: Contract and PI of 1500W.exe, 00000001.00000002.809904221.0000000000C60000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Contract and PI of 1500W.exe, 00000001.00000002.809904221.0000000000C60000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Contract and PI of 1500W.exe, 00000001.00000002.809904221.0000000000C60000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 502545 Sample: Contract and PI of 1500W.exe Startdate: 14/10/2021 Architecture: WINDOWS Score: 72 7 Potential malicious icon found 2->7 9 Found malware configuration 2->9 11 Yara detected GuLoader 2->11 13 2 other signatures 2->13 5 Contract and PI of 1500W.exe 2->5         started        process3
No contacted IP infos