Windows Analysis Report Orden de compra M244545.exe

Overview

General Information

Sample Name: Orden de compra M244545.exe
Analysis ID: 502566
MD5: 7c04ecf5dc6999877e87cf9c1c933a3f
SHA1: 905c177e8ea3a2173e322c13b25cd156bd6dea39
SHA256: cf7bd1c802c044a777529246743d3a5c907e4c02a29525afe2c48daee9b2fd9d
Tags: exeguloader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected GuLoader
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Contains functionality to call native functions
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Program does not show much activity (idle)
Uses code obfuscation techniques (call, push, ret)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Detected potential crypto function

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.815267418.0000000002170000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=13CKgFgBbMK4vER"}

Compliance:

barindex
Uses 32bit PE files
Source: Orden de compra M244545.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=13CKgFgBbMK4vER

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: Orden de compra M244545.exe, 00000000.00000002.815031426.00000000005EA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Uses 32bit PE files
Source: Orden de compra M244545.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_021774BA NtAllocateVirtualMemory, 0_2_021774BA
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_021774BD NtAllocateVirtualMemory, 0_2_021774BD
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_021774A7 NtAllocateVirtualMemory, 0_2_021774A7
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_021775BF NtAllocateVirtualMemory, 0_2_021775BF
Sample file is different than original file name gathered from version info
Source: Orden de compra M244545.exe, 00000000.00000000.287814092.0000000000416000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameREMEMBERER.exe vs Orden de compra M244545.exe
Source: Orden de compra M244545.exe Binary or memory string: OriginalFilenameREMEMBERER.exe vs Orden de compra M244545.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0040166E 0_2_0040166E
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_00401621 0_2_00401621
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_00401432 0_2_00401432
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_021774BA 0_2_021774BA
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217B9C4 0_2_0217B9C4
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02179E11 0_2_02179E11
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02176605 0_2_02176605
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217AA3B 0_2_0217AA3B
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02175E47 0_2_02175E47
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217564F 0_2_0217564F
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02179E4C 0_2_02179E4C
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217566E 0_2_0217566E
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217BA8B 0_2_0217BA8B
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217BAA3 0_2_0217BAA3
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_021772D9 0_2_021772D9
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217AAC7 0_2_0217AAC7
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02175AEB 0_2_02175AEB
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02174F14 0_2_02174F14
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02175B13 0_2_02175B13
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02175703 0_2_02175703
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02179F0C 0_2_02179F0C
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217BB08 0_2_0217BB08
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02175B36 0_2_02175B36
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02177B25 0_2_02177B25
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217BF53 0_2_0217BF53
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02175F40 0_2_02175F40
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217BB73 0_2_0217BB73
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217A788 0_2_0217A788
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217ABA7 0_2_0217ABA7
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02177BAE 0_2_02177BAE
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02175BF0 0_2_02175BF0
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02170000 0_2_02170000
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217A00F 0_2_0217A00F
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217540C 0_2_0217540C
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217800C 0_2_0217800C
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02175426 0_2_02175426
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217BC42 0_2_0217BC42
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217604F 0_2_0217604F
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217584A 0_2_0217584A
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02175473 0_2_02175473
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02175083 0_2_02175083
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02177C8D 0_2_02177C8D
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_021760B7 0_2_021760B7
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_021774BD 0_2_021774BD
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_021774A7 0_2_021774A7
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_021760A5 0_2_021760A5
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217ACDB 0_2_0217ACDB
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_021750D8 0_2_021750D8
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_021718EB 0_2_021718EB
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02170CEB 0_2_02170CEB
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02175D17 0_2_02175D17
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02170D15 0_2_02170D15
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217B137 0_2_0217B137
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217AD3D 0_2_0217AD3D
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217594C 0_2_0217594C
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217A977 0_2_0217A977
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02175587 0_2_02175587
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_021779B4 0_2_021779B4
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217ADCB 0_2_0217ADCB
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_021779F7 0_2_021779F7
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217B9F0 0_2_0217B9F0
Source: C:\Users\user\Desktop\Orden de compra M244545.exe File created: C:\Users\user\AppData\Local\Temp\~DF69F4FFD7A5AEEA59.TMP Jump to behavior
Source: Orden de compra M244545.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: classification engine Classification label: mal68.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.815267418.0000000002170000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_004059C4 push AEED1A63h; ret 0_2_004059CF
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02171E34 push FFFFFF92h; ret 0_2_02171F4A
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217866B push esi; retf 0_2_0217866C
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02172AC3 push 1B7863C3h; ret 0_2_02172ADE
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02171C34 push FFFFFF92h; ret 0_2_02171F4A
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02174C38 push esi; ret 0_2_02174C3F
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02170099 push ebp; ret 0_2_0217009A
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_021718EB push FFFFFF92h; ret 0_2_02171F4A
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02170CEB push 810A7C4Fh; ret 0_2_02170D06
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02171D1A push FFFFFF92h; ret 0_2_02171F4A
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02170100 push ebp; ret 0_2_02170101
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02172531 push ecx; retf 0_2_02172532
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Orden de compra M244545.exe RDTSC instruction interceptor: First address: 000000000040F114 second address: 000000000040F114 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 popfd 0x00000004 pushfd 0x00000005 popfd 0x00000006 popad 0x00000007 cmp ecx, 68h 0x0000000a pushfd 0x0000000b popfd 0x0000000c dec edi 0x0000000d mfence 0x00000010 lfence 0x00000013 cmp edi, 00000000h 0x00000016 jne 00007FA9FC372830h 0x00000018 mfence 0x0000001b cmp eax, 2Bh 0x0000001e pushad 0x0000001f pushfd 0x00000020 popfd 0x00000021 nop 0x00000022 rdtsc
Source: C:\Users\user\Desktop\Orden de compra M244545.exe RDTSC instruction interceptor: First address: 0000000002176E32 second address: 0000000002176E32 instructions: 0x00000000 rdtsc 0x00000002 mov eax, D4B2F1E2h 0x00000007 xor eax, 08C7D238h 0x0000000c xor eax, AF5C0C90h 0x00000011 xor eax, 73292F4Bh 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FA9FC39B8BAh 0x0000001e lfence 0x00000021 mov edx, F0957472h 0x00000026 sub edx, C21253E8h 0x0000002c xor edx, 9CB6DCC2h 0x00000032 xor edx, CDCBFC5Ch 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 cmp ax, cx 0x00000045 add edi, edx 0x00000047 dec ecx 0x00000048 mov dword ptr [ebp+000001EAh], ecx 0x0000004e mov ecx, AED5C45Ah 0x00000053 jmp 00007FA9FC39B8DAh 0x00000055 xor ecx, 64BFF28Ch 0x0000005b sub ecx, 10CB0807h 0x00000061 xor ecx, B99F2ECFh 0x00000067 cmp dword ptr [ebp+000001EAh], ecx 0x0000006d mov ecx, dword ptr [ebp+000001EAh] 0x00000073 jne 00007FA9FC39B842h 0x00000075 mov dword ptr [ebp+000001A8h], eax 0x0000007b mov eax, ecx 0x0000007d push eax 0x0000007e mov eax, dword ptr [ebp+000001A8h] 0x00000084 call 00007FA9FC39B995h 0x00000089 call 00007FA9FC39B8DBh 0x0000008e lfence 0x00000091 mov edx, F0957472h 0x00000096 sub edx, C21253E8h 0x0000009c xor edx, 9CB6DCC2h 0x000000a2 xor edx, CDCBFC5Ch 0x000000a8 mov edx, dword ptr [edx] 0x000000aa lfence 0x000000ad ret 0x000000ae mov esi, edx 0x000000b0 pushad 0x000000b1 rdtsc
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02176E2A rdtsc 0_2_02176E2A

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_021797C9 mov eax, dword ptr fs:[00000030h] 0_2_021797C9
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02176C45 mov eax, dword ptr fs:[00000030h] 0_2_02176C45
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02179CD8 mov eax, dword ptr fs:[00000030h] 0_2_02179CD8
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217A977 mov eax, dword ptr fs:[00000030h] 0_2_0217A977
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_02176E2A rdtsc 0_2_02176E2A
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217B9C4 RtlAddVectoredExceptionHandler, 0_2_0217B9C4
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217BE98 RtlAddVectoredExceptionHandler, 0_2_0217BE98
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217BA8B RtlAddVectoredExceptionHandler, 0_2_0217BA8B
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217BAA3 RtlAddVectoredExceptionHandler, 0_2_0217BAA3
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217BB08 RtlAddVectoredExceptionHandler, 0_2_0217BB08
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217BB73 RtlAddVectoredExceptionHandler, 0_2_0217BB73
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217BC42 RtlAddVectoredExceptionHandler, 0_2_0217BC42
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217BD78 RtlAddVectoredExceptionHandler, 0_2_0217BD78
Source: C:\Users\user\Desktop\Orden de compra M244545.exe Code function: 0_2_0217B9F0 RtlAddVectoredExceptionHandler, 0_2_0217B9F0
Source: Orden de compra M244545.exe, 00000000.00000002.815107680.0000000000C70000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: Orden de compra M244545.exe, 00000000.00000002.815107680.0000000000C70000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Orden de compra M244545.exe, 00000000.00000002.815107680.0000000000C70000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Orden de compra M244545.exe, 00000000.00000002.815107680.0000000000C70000.00000002.00020000.sdmp Binary or memory string: Progmanlock
No contacted IP infos