{"Payload URL": "https://drive.google.com/uc?export=downl"}
Source: Contract and PI of 1500W.exe | Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downl"} |
Source: Contract and PI of 1500W.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 4x nop then fsincos |
Source: Malware configuration extractor | URLs: https://drive.google.com/uc?export=downl |
Source: initial sample | Icon embedded in PE file: bad icon match: 20047c7c70f0e004 |
Source: Contract and PI of 1500W.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_020C7F56 NtAllocateVirtualMemory, |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_020C8004 NtAllocateVirtualMemory, |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_020C7F52 NtAllocateVirtualMemory, |
Source: Contract and PI of 1500W.exe, 00000001.00000002.809579266.000000000041C000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameFocalisi.exe vs Contract and PI of 1500W.exe |
Source: Contract and PI of 1500W.exe, 00000001.00000002.810458713.0000000002920000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameFocalisi.exeFE2X vs Contract and PI of 1500W.exe |
Source: Contract and PI of 1500W.exe | Binary or memory string: OriginalFilenameFocalisi.exe vs Contract and PI of 1500W.exe |
Source: Contract and PI of 1500W.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_004022C3 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_00403249 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_004032CA |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_004031E2 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_020C7F56 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_020C60BB |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_020CA8D9 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_020C60E8 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_020C6946 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_020C7F52 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_020C5D7F |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_020C6D7A |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_020C81AE |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_020C5DC2 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_020C65C2 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_020C61D8 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_020C69D8 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_020CA9ED |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_020C7DF8 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_020C01F6 |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: String function: 0040177E appears 94 times |
Source: Contract and PI of 1500W.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Source: classification engine | Classification label: mal72.rans.troj.evad.winEXE@1/0@0/0 |
Source: Yara match | File source: 00000001.00000002.810237307.00000000020C0000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_0040205A push cs; retf |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_0040705F push edi; retf |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_00408200 push FF3F4922h; retf |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_00406C0D pushad ; iretd |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_00407145 push edi; retf |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_0040630D pushfd ; ret |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_004059F3 push esi; iretd |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_020C547A push esp; ret |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_020C18E3 push esi; retf |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_020C4B15 push ebp; ret |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_020C1740 pushfd ; retf |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_020C71BF push eax; ret |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_020C3DD5 push ss; ret |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Process information set: NOOPENFILEERRORBOX |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_020C7C0D rdtsc |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_004022C3 mov ebx, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_004031E2 mov ebx, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_020C9B0D mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_020C9F4A mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_020CA9ED mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_020C77E5 mov eax, dword ptr fs:[00000030h] |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Contract and PI of 1500W.exe | Code function: 1_2_020C7C0D rdtsc |
Source: Contract and PI of 1500W.exe, 00000001.00000002.809904221.0000000000C60000.00000002.00020000.sdmp | Binary or memory string: Program Manager |
Source: Contract and PI of 1500W.exe, 00000001.00000002.809904221.0000000000C60000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd |
Source: Contract and PI of 1500W.exe, 00000001.00000002.809904221.0000000000C60000.00000002.00020000.sdmp | Binary or memory string: Progman |
Source: Contract and PI of 1500W.exe, 00000001.00000002.809904221.0000000000C60000.00000002.00020000.sdmp | Binary or memory string: Progmanlock |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.