Windows Analysis Report Maj PO.exe

Overview

General Information

Sample Name: Maj PO.exe
Analysis ID: 502551
MD5: ebc68c72c1d9ddb811c502683d4a72ff
SHA1: 2ba515688b053a2e6153b5f21baa379b8b120b5e
SHA256: 0e11a70592490252dab6e6d9ea4d35832ac26d994882807377e79ea00788713b
Tags: exeguloader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Potential malicious icon found
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
Found potential dummy code loops (likely to delay analysis)
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

Compliance:

barindex
Uses 32bit PE files
Source: Maj PO.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 4x nop then mov ebx, ebx 0_2_004022BD
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 4x nop then mov ebx, ebx 0_2_0040365D
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 4x nop then mov ebx, ebx 0_2_00403223
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 4x nop then mov ebx, ebx 0_2_00403431
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 4x nop then mov ebx, ebx 0_2_004034C6
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 4x nop then mov ebx, ebx 0_2_004036E7
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 4x nop then mov ebx, ebx 0_2_00403553
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 4x nop then mov ebx, ebx 0_2_00403772
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 4x nop then mov ebx, ebx 0_2_00403337
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 4x nop then mov ebx, ebx 0_2_004035DB
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 4x nop then mov ebx, ebx 0_2_004037F8
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 4x nop then mov ebx, ebx 0_2_004031A4
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 4x nop then mov ebx, ebx 0_2_004033AF

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: Maj PO.exe, 00000000.00000002.1181562766.00000000007DA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Uses 32bit PE files
Source: Maj PO.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: Maj PO.exe, 00000000.00000002.1180655891.000000000041D000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameREJFN.exe vs Maj PO.exe
Source: Maj PO.exe, 00000000.00000002.1181654993.00000000028B0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameREJFN.exeFE2X vs Maj PO.exe
Source: Maj PO.exe Binary or memory string: OriginalFilenameREJFN.exe vs Maj PO.exe
PE file contains strange resources
Source: Maj PO.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_00401868 0_2_00401868
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_004022BD 0_2_004022BD
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_00403223 0_2_00403223
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_00403431 0_2_00403431
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_00403553 0_2_00403553
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_00403337 0_2_00403337
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_004035DB 0_2_004035DB
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_004031A4 0_2_004031A4
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_004033AF 0_2_004033AF
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_0072BCC6 0_2_0072BCC6
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_00727FAC 0_2_00727FAC
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_0072AC6F 0_2_0072AC6F
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_0072801A 0_2_0072801A
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_00725D04 0_2_00725D04
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_007261C0 0_2_007261C0
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_007271CB 0_2_007271CB
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_00726A2E 0_2_00726A2E
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_0072661E 0_2_0072661E
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_00727E0B 0_2_00727E0B
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_00726AC4 0_2_00726AC4
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_00726ABB 0_2_00726ABB
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_00726286 0_2_00726286
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_00726732 0_2_00726732
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_00727BDD 0_2_00727BDD
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Maj PO.exe Code function: String function: 0040177E appears 94 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_00727FAC NtAllocateVirtualMemory, 0_2_00727FAC
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_0072801A NtAllocateVirtualMemory, 0_2_0072801A
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Maj PO.exe Process Stats: CPU usage > 98%
Source: Maj PO.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Maj PO.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Maj PO.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: classification engine Classification label: mal64.rans.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.1181513848.0000000000720000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_00402158 pushad ; retf 0_2_00402159
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_0040450B pushad ; ret 0_2_00404512
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_00405DC0 push esi; retf 0_2_00405DD3
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_0072240F push 0000004Dh; retf 0_2_0072242B
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_0072158A push eax; retf 0_2_0072159A
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_00722A76 push ss; retf 0_2_00722ABE
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_00722A6C push ss; retf 0_2_00722ABE
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_00725A3B push ss; iretd 0_2_00725A5E
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_00723F62 pushfd ; ret 0_2_00723F63
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_00723F5D push esi; ret 0_2_00723F61
Source: C:\Users\user\Desktop\Maj PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Maj PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Maj PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Maj PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Maj PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Maj PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Maj PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Maj PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Maj PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Maj PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Maj PO.exe RDTSC instruction interceptor: First address: 0000000000727947 second address: 0000000000727947 instructions: 0x00000000 rdtsc 0x00000002 mov eax, B0122622h 0x00000007 xor eax, 642B2252h 0x0000000c xor eax, 52B1728Eh 0x00000011 add eax, 79778903h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F82547DE00Ch 0x0000001e lfence 0x00000021 mov edx, A241A49Eh 0x00000026 xor edx, CFB20E58h 0x0000002c xor edx, F5527884h 0x00000032 xor edx, E75FD256h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e cmp ch, dh 0x00000040 sub edx, esi 0x00000042 ret 0x00000043 pop ecx 0x00000044 add edi, edx 0x00000046 dec ecx 0x00000047 mov dword ptr [ebp+0000022Ch], 1F733C6Dh 0x00000051 sub dword ptr [ebp+0000022Ch], 17454528h 0x0000005b add dword ptr [ebp+0000022Ch], 269EC43Bh 0x00000065 sub dword ptr [ebp+0000022Ch], 2ECCBB80h 0x0000006f test edx, eax 0x00000071 cmp ecx, dword ptr [ebp+0000022Ch] 0x00000077 jne 00007F82547DDFAEh 0x00000079 cmp bl, al 0x0000007b mov dword ptr [ebp+00000204h], edi 0x00000081 test edx, 99F182E8h 0x00000087 mov edi, ecx 0x00000089 push edi 0x0000008a mov edi, dword ptr [ebp+00000204h] 0x00000090 test ecx, edx 0x00000092 call 00007F82547DE06Fh 0x00000097 call 00007F82547DE02Dh 0x0000009c lfence 0x0000009f mov edx, A241A49Eh 0x000000a4 xor edx, CFB20E58h 0x000000aa xor edx, F5527884h 0x000000b0 xor edx, E75FD256h 0x000000b6 mov edx, dword ptr [edx] 0x000000b8 lfence 0x000000bb ret 0x000000bc mov esi, edx 0x000000be pushad 0x000000bf rdtsc
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_00727C4E rdtsc 0_2_00727C4E

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\Maj PO.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_004022BD mov ebx, dword ptr fs:[00000030h] 0_2_004022BD
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_004031A4 mov ebx, dword ptr fs:[00000030h] 0_2_004031A4
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_0072AC6F mov eax, dword ptr fs:[00000030h] 0_2_0072AC6F
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_0072A098 mov eax, dword ptr fs:[00000030h] 0_2_0072A098
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_00729AFD mov eax, dword ptr fs:[00000030h] 0_2_00729AFD
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_007277CC mov eax, dword ptr fs:[00000030h] 0_2_007277CC
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_00727C4E rdtsc 0_2_00727C4E
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 0_2_0072BCC6 RtlAddVectoredExceptionHandler, 0_2_0072BCC6
Source: Maj PO.exe, 00000000.00000002.1181620066.0000000000D60000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: Maj PO.exe, 00000000.00000002.1181620066.0000000000D60000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Maj PO.exe, 00000000.00000002.1181620066.0000000000D60000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Maj PO.exe, 00000000.00000002.1181620066.0000000000D60000.00000002.00020000.sdmp Binary or memory string: Progmanlock
No contacted IP infos