Windows Analysis Report PEDIDO.exe

ID:	502709
Product:	CloudBasic
Start time:	10:36:11
Start date:	14.10.2021
Sample:	PEDIDO.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	8bc016e5779262b772d16903af6e142c
SHA1:	5fa020fa3a63a481eff19fca06e11c424d346e9f
SHA256:	69a8e2fa9664dce4cb9ab2d1a2e7ba67bd0516b9e4c8608e9c246d614be3241f
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Name	Type	MD5	SHA1	SHA256

AV Detection:

Found malware configuration

Source: 00000000.00000002.779265380.00000000020F0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1G3zuBgFp"}

Machine Learning detection for sample

Source: PEDIDO.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: PEDIDO.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1G3zuBgFp

System Summary:

Uses 32bit PE files

Source: PEDIDO.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Sample file is different than original file name gathered from version info

Source: PEDIDO.exe, 00000000.00000000.248785183.0000000000416000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLurifaksernes.exe vs PEDIDO.exe
Source: PEDIDO.exe	Binary or memory string: OriginalFilenameLurifaksernes.exe vs PEDIDO.exe

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\PEDIDO.exe

Process Stats: CPU usage > 98%

Detected potential crypto function

Source: C:\Users\user\Desktop\PEDIDO.exe	Code function: 0_2_00401673		0_2_00401673
Source: C:\Users\user\Desktop\PEDIDO.exe	Code function: 0_2_00401626		0_2_00401626
Source: C:\Users\user\Desktop\PEDIDO.exe	Code function: 0_2_00401437		0_2_00401437
Source: C:\Users\user\Desktop\PEDIDO.exe	Code function: 0_2_020F3002		0_2_020F3002
Source: C:\Users\user\Desktop\PEDIDO.exe	Code function: 0_2_020F1210		0_2_020F1210
Source: C:\Users\user\Desktop\PEDIDO.exe	Code function: 0_2_020FA827		0_2_020FA827
Source: C:\Users\user\Desktop\PEDIDO.exe	Code function: 0_2_020F4C35		0_2_020F4C35
Source: C:\Users\user\Desktop\PEDIDO.exe	Code function: 0_2_020F226F		0_2_020F226F
Source: C:\Users\user\Desktop\PEDIDO.exe	Code function: 0_2_020F208C		0_2_020F208C
Source: C:\Users\user\Desktop\PEDIDO.exe	Code function: 0_2_020F029F		0_2_020F029F
Source: C:\Users\user\Desktop\PEDIDO.exe	Code function: 0_2_020F1CA5		0_2_020F1CA5
Source: C:\Users\user\Desktop\PEDIDO.exe	Code function: 0_2_020F00D5		0_2_020F00D5
Source: C:\Users\user\Desktop\PEDIDO.exe	Code function: 0_2_020F4F38		0_2_020F4F38
Source: C:\Users\user\Desktop\PEDIDO.exe	Code function: 0_2_020F0132		0_2_020F0132
Source: C:\Users\user\Desktop\PEDIDO.exe	Code function: 0_2_020F6D4C		0_2_020F6D4C
Source: C:\Users\user\Desktop\PEDIDO.exe	Code function: 0_2_020F2340		0_2_020F2340
Source: C:\Users\user\Desktop\PEDIDO.exe	Code function: 0_2_020F1F7A		0_2_020F1F7A
Source: C:\Users\user\Desktop\PEDIDO.exe	Code function: 0_2_020F0179		0_2_020F0179
Source: C:\Users\user\Desktop\PEDIDO.exe	Code function: 0_2_020F4D92		0_2_020F4D92
Source: C:\Users\user\Desktop\PEDIDO.exe	Code function: 0_2_020F53BE		0_2_020F53BE
Source: C:\Users\user\Desktop\PEDIDO.exe	Code function: 0_2_020F4FF3		0_2_020F4FF3

Creates temporary files

Source: C:\Users\user\Desktop\PEDIDO.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DFF079A81BD057904A.TMP

Jump to behavior

PE file has an executable .text section and no other executable section

Source: PEDIDO.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Users\user\Desktop\PEDIDO.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)

Source: C:\Users\user\Desktop\PEDIDO.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Classification label

Source: classification engine

Classification label: mal72.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.779265380.00000000020F0000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\PEDIDO.exe	Code function: 0_2_00405AC6 push esi; ret		0_2_00405ACD
Source: C:\Users\user\Desktop\PEDIDO.exe	Code function: 0_2_004046A8 push es; ret		0_2_004046EF
Source: C:\Users\user\Desktop\PEDIDO.exe	Code function: 0_2_020F0442 push FFFFFFFEh; ret		0_2_020F0444
Source: C:\Users\user\Desktop\PEDIDO.exe	Code function: 0_2_020F2F71 pushad ; retn 0004h		0_2_020F2F8B
Source: C:\Users\user\Desktop\PEDIDO.exe	Code function: 0_2_020F1781 push ds; retf		0_2_020F1787
Source: C:\Users\user\Desktop\PEDIDO.exe	Code function: 0_2_020F27B0 pushfd ; iretd		0_2_020F27B1
Source: C:\Users\user\Desktop\PEDIDO.exe	Code function: 0_2_020F09E3 push edi; iretd		0_2_020F09E4
Source: C:\Users\user\Desktop\PEDIDO.exe	Code function: 0_2_020F0BF4 push edi; retf		0_2_020F0BF8

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\PEDIDO.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\PEDIDO.exe

RDTSC instruction interceptor: First address: 000000000040EFEE second address: 000000000040EFEE instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 lfence 0x00000006 popad 0x00000007 lfence 0x0000000a cmp ecx, 0000009Fh 0x00000010 dec edi 0x00000011 pushfd 0x00000012 popfd 0x00000013 wait 0x00000014 cmp edi, 00000000h 0x00000017 jne 00007FA2BC937948h 0x00000019 mfence 0x0000001c cmp eax, 000000C2h 0x00000021 pushad 0x00000022 cmp eax, 000000EEh 0x00000027 mfence 0x0000002a rdtsc

Source: C:\Users\user\Desktop\PEDIDO.exe

RDTSC instruction interceptor: First address: 00000000020F6E7E second address: 00000000020F6E7E instructions: 0x00000000 rdtsc 0x00000002 mov eax, 5ECAEB07h 0x00000007 xor eax, E8969DE3h 0x0000000c xor eax, DEB35923h 0x00000011 add eax, 9710D03Ah 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FA2BCDE0628h 0x0000001e lfence 0x00000021 mov edx, 03C503D6h 0x00000026 xor edx, A24BC650h 0x0000002c sub edx, AA10D02Ch 0x00000032 xor edx, 8883F54Eh 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 cmp eax, 4C4E4F0Bh 0x00000046 pop ecx 0x00000047 add edi, edx 0x00000049 dec ecx 0x0000004a mov dword ptr [ebp+00000237h], EBF6D632h 0x00000054 xor dword ptr [ebp+00000237h], BEC846FDh 0x0000005e xor dword ptr [ebp+00000237h], 3DA10DDDh 0x00000068 add dword ptr [ebp+00000237h], 976062EEh 0x00000072 cmp ecx, dword ptr [ebp+00000237h] 0x00000078 jne 00007FA2BCDE0575h 0x0000007e mov dword ptr [ebp+00000245h], esi 0x00000084 mov esi, ecx 0x00000086 push esi 0x00000087 mov esi, dword ptr [ebp+00000245h] 0x0000008d jmp 00007FA2BCDE067Eh 0x0000008f test eax, ecx 0x00000091 call 00007FA2BCDE069Bh 0x00000096 call 00007FA2BCDE0649h 0x0000009b lfence 0x0000009e mov edx, 03C503D6h 0x000000a3 xor edx, A24BC650h 0x000000a9 sub edx, AA10D02Ch 0x000000af xor edx, 8883F54Eh 0x000000b5 mov edx, dword ptr [edx] 0x000000b7 lfence 0x000000ba ret 0x000000bb mov esi, edx 0x000000bd pushad 0x000000be rdtsc

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\PEDIDO.exe

Code function: 0_2_020F6E76 rdtsc

0_2_020F6E76

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\PEDIDO.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\PEDIDO.exe	Code function: 0_2_020F9612 mov eax, dword ptr fs:[00000030h]		0_2_020F9612
Source: C:\Users\user\Desktop\PEDIDO.exe	Code function: 0_2_020FA827 mov eax, dword ptr fs:[00000030h]		0_2_020FA827
Source: C:\Users\user\Desktop\PEDIDO.exe	Code function: 0_2_020F6C6E mov eax, dword ptr fs:[00000030h]		0_2_020F6C6E
Source: C:\Users\user\Desktop\PEDIDO.exe	Code function: 0_2_020F9BB0 mov eax, dword ptr fs:[00000030h]		0_2_020F9BB0

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\PEDIDO.exe

Code function: 0_2_020F6E76 rdtsc

0_2_020F6E76

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Source: PEDIDO.exe, 00000000.00000002.778371334.0000000000C60000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: PEDIDO.exe, 00000000.00000002.778371334.0000000000C60000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: PEDIDO.exe, 00000000.00000002.778371334.0000000000C60000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: PEDIDO.exe, 00000000.00000002.778371334.0000000000C60000.00000002.00020000.sdmp	Binary or memory string: Progmanlock