Source: Maj PO.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 4x nop then mov ebx, ebx |
0_2_004022BD |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 4x nop then mov ebx, ebx |
0_2_0040365D |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 4x nop then mov ebx, ebx |
0_2_00403223 |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 4x nop then mov ebx, ebx |
0_2_00403431 |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 4x nop then mov ebx, ebx |
0_2_004034C6 |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 4x nop then mov ebx, ebx |
0_2_004036E7 |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 4x nop then mov ebx, ebx |
0_2_00403553 |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 4x nop then mov ebx, ebx |
0_2_00403772 |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 4x nop then mov ebx, ebx |
0_2_00403337 |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 4x nop then mov ebx, ebx |
0_2_004035DB |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 4x nop then mov ebx, ebx |
0_2_004037F8 |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 4x nop then mov ebx, ebx |
0_2_004031A4 |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 4x nop then mov ebx, ebx |
0_2_004033AF |
Source: Maj PO.exe, 00000000.00000002.1181562766.00000000007DA000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: initial sample |
Icon embedded in PE file: bad icon match: 20047c7c70f0e004 |
Source: Maj PO.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Maj PO.exe, 00000000.00000002.1180655891.000000000041D000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameREJFN.exe vs Maj PO.exe |
Source: Maj PO.exe, 00000000.00000002.1181654993.00000000028B0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameREJFN.exeFE2X vs Maj PO.exe |
Source: Maj PO.exe |
Binary or memory string: OriginalFilenameREJFN.exe vs Maj PO.exe |
Source: Maj PO.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_00401868 |
0_2_00401868 |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_004022BD |
0_2_004022BD |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_00403223 |
0_2_00403223 |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_00403431 |
0_2_00403431 |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_00403553 |
0_2_00403553 |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_00403337 |
0_2_00403337 |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_004035DB |
0_2_004035DB |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_004031A4 |
0_2_004031A4 |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_004033AF |
0_2_004033AF |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_0072BCC6 |
0_2_0072BCC6 |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_00727FAC |
0_2_00727FAC |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_0072AC6F |
0_2_0072AC6F |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_0072801A |
0_2_0072801A |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_00725D04 |
0_2_00725D04 |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_007261C0 |
0_2_007261C0 |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_007271CB |
0_2_007271CB |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_00726A2E |
0_2_00726A2E |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_0072661E |
0_2_0072661E |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_00727E0B |
0_2_00727E0B |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_00726AC4 |
0_2_00726AC4 |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_00726ABB |
0_2_00726ABB |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_00726286 |
0_2_00726286 |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_00726732 |
0_2_00726732 |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_00727BDD |
0_2_00727BDD |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: String function: 0040177E appears 94 times |
|
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_00727FAC NtAllocateVirtualMemory, |
0_2_00727FAC |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_0072801A NtAllocateVirtualMemory, |
0_2_0072801A |
Source: C:\Users\user\Desktop\Maj PO.exe |
Process Stats: CPU usage > 98% |
Source: Maj PO.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Maj PO.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\Maj PO.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: classification engine |
Classification label: mal64.rans.troj.evad.winEXE@1/0@0/0 |
Source: Yara match |
File source: 00000000.00000002.1181513848.0000000000720000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_00402158 pushad ; retf |
0_2_00402159 |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_0040450B pushad ; ret |
0_2_00404512 |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_00405DC0 push esi; retf |
0_2_00405DD3 |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_0072240F push 0000004Dh; retf |
0_2_0072242B |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_0072158A push eax; retf |
0_2_0072159A |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_00722A76 push ss; retf |
0_2_00722ABE |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_00722A6C push ss; retf |
0_2_00722ABE |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_00725A3B push ss; iretd |
0_2_00725A5E |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_00723F62 pushfd ; ret |
0_2_00723F63 |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_00723F5D push esi; ret |
0_2_00723F61 |
Source: C:\Users\user\Desktop\Maj PO.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Maj PO.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Maj PO.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Maj PO.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Maj PO.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Maj PO.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Maj PO.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Maj PO.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Maj PO.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Maj PO.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Maj PO.exe |
RDTSC instruction interceptor: First address: 0000000000727947 second address: 0000000000727947 instructions: 0x00000000 rdtsc 0x00000002 mov eax, B0122622h 0x00000007 xor eax, 642B2252h 0x0000000c xor eax, 52B1728Eh 0x00000011 add eax, 79778903h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F82547DE00Ch 0x0000001e lfence 0x00000021 mov edx, A241A49Eh 0x00000026 xor edx, CFB20E58h 0x0000002c xor edx, F5527884h 0x00000032 xor edx, E75FD256h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e cmp ch, dh 0x00000040 sub edx, esi 0x00000042 ret 0x00000043 pop ecx 0x00000044 add edi, edx 0x00000046 dec ecx 0x00000047 mov dword ptr [ebp+0000022Ch], 1F733C6Dh 0x00000051 sub dword ptr [ebp+0000022Ch], 17454528h 0x0000005b add dword ptr [ebp+0000022Ch], 269EC43Bh 0x00000065 sub dword ptr [ebp+0000022Ch], 2ECCBB80h 0x0000006f test edx, eax 0x00000071 cmp ecx, dword ptr [ebp+0000022Ch] 0x00000077 jne 00007F82547DDFAEh 0x00000079 cmp bl, al 0x0000007b mov dword ptr [ebp+00000204h], edi 0x00000081 test edx, 99F182E8h 0x00000087 mov edi, ecx 0x00000089 push edi 0x0000008a mov edi, dword ptr [ebp+00000204h] 0x00000090 test ecx, edx 0x00000092 call 00007F82547DE06Fh 0x00000097 call 00007F82547DE02Dh 0x0000009c lfence 0x0000009f mov edx, A241A49Eh 0x000000a4 xor edx, CFB20E58h 0x000000aa xor edx, F5527884h 0x000000b0 xor edx, E75FD256h 0x000000b6 mov edx, dword ptr [edx] 0x000000b8 lfence 0x000000bb ret 0x000000bc mov esi, edx 0x000000be pushad 0x000000bf rdtsc |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_00727C4E rdtsc |
0_2_00727C4E |
Source: C:\Users\user\Desktop\Maj PO.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_004022BD mov ebx, dword ptr fs:[00000030h] |
0_2_004022BD |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_004031A4 mov ebx, dword ptr fs:[00000030h] |
0_2_004031A4 |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_0072AC6F mov eax, dword ptr fs:[00000030h] |
0_2_0072AC6F |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_0072A098 mov eax, dword ptr fs:[00000030h] |
0_2_0072A098 |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_00729AFD mov eax, dword ptr fs:[00000030h] |
0_2_00729AFD |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_007277CC mov eax, dword ptr fs:[00000030h] |
0_2_007277CC |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_00727C4E rdtsc |
0_2_00727C4E |
Source: C:\Users\user\Desktop\Maj PO.exe |
Code function: 0_2_0072BCC6 RtlAddVectoredExceptionHandler, |
0_2_0072BCC6 |
Source: Maj PO.exe, 00000000.00000002.1181620066.0000000000D60000.00000002.00020000.sdmp |
Binary or memory string: Program Manager |
Source: Maj PO.exe, 00000000.00000002.1181620066.0000000000D60000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: Maj PO.exe, 00000000.00000002.1181620066.0000000000D60000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: Maj PO.exe, 00000000.00000002.1181620066.0000000000D60000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |