{"Payload URL": "https://drive.google.com/uc?export=download&id=1G3zuBgFp"}
Source: 00000000.00000002.779265380.00000000020F0000.00000040.00000001.sdmp | Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1G3zuBgFp"} |
Source: PEDIDO.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor | URLs: https://drive.google.com/uc?export=download&id=1G3zuBgFp |
Source: PEDIDO.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: PEDIDO.exe, 00000000.00000000.248785183.0000000000416000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameLurifaksernes.exe vs PEDIDO.exe |
Source: PEDIDO.exe | Binary or memory string: OriginalFilenameLurifaksernes.exe vs PEDIDO.exe |
Source: C:\Users\user\Desktop\PEDIDO.exe | Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\PEDIDO.exe | Code function: 0_2_00401673 |
Source: C:\Users\user\Desktop\PEDIDO.exe | Code function: 0_2_00401626 |
Source: C:\Users\user\Desktop\PEDIDO.exe | Code function: 0_2_00401437 |
Source: C:\Users\user\Desktop\PEDIDO.exe | Code function: 0_2_020F3002 |
Source: C:\Users\user\Desktop\PEDIDO.exe | Code function: 0_2_020F1210 |
Source: C:\Users\user\Desktop\PEDIDO.exe | Code function: 0_2_020FA827 |
Source: C:\Users\user\Desktop\PEDIDO.exe | Code function: 0_2_020F4C35 |
Source: C:\Users\user\Desktop\PEDIDO.exe | Code function: 0_2_020F226F |
Source: C:\Users\user\Desktop\PEDIDO.exe | Code function: 0_2_020F208C |
Source: C:\Users\user\Desktop\PEDIDO.exe | Code function: 0_2_020F029F |
Source: C:\Users\user\Desktop\PEDIDO.exe | Code function: 0_2_020F1CA5 |
Source: C:\Users\user\Desktop\PEDIDO.exe | Code function: 0_2_020F00D5 |
Source: C:\Users\user\Desktop\PEDIDO.exe | Code function: 0_2_020F4F38 |
Source: C:\Users\user\Desktop\PEDIDO.exe | Code function: 0_2_020F0132 |
Source: C:\Users\user\Desktop\PEDIDO.exe | Code function: 0_2_020F6D4C |
Source: C:\Users\user\Desktop\PEDIDO.exe | Code function: 0_2_020F2340 |
Source: C:\Users\user\Desktop\PEDIDO.exe | Code function: 0_2_020F1F7A |
Source: C:\Users\user\Desktop\PEDIDO.exe | Code function: 0_2_020F0179 |
Source: C:\Users\user\Desktop\PEDIDO.exe | Code function: 0_2_020F4D92 |
Source: C:\Users\user\Desktop\PEDIDO.exe | Code function: 0_2_020F53BE |
Source: C:\Users\user\Desktop\PEDIDO.exe | Code function: 0_2_020F4FF3 |
Source: C:\Users\user\Desktop\PEDIDO.exe | File created: C:\Users\user~1\AppData\Local\Temp\~DFF079A81BD057904A.TMP | Jump to behavior |
Source: PEDIDO.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\PEDIDO.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: C:\Users\user\Desktop\PEDIDO.exe | Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Source: classification engine | Classification label: mal72.troj.evad.winEXE@1/0@0/0 |
Source: Yara match | File source: 00000000.00000002.779265380.00000000020F0000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\PEDIDO.exe | Code function: 0_2_00405AC6 push esi; ret |
Source: C:\Users\user\Desktop\PEDIDO.exe | Code function: 0_2_004046A8 push es; ret |
Source: C:\Users\user\Desktop\PEDIDO.exe | Code function: 0_2_020F0442 push FFFFFFFEh; ret |
Source: C:\Users\user\Desktop\PEDIDO.exe | Code function: 0_2_020F2F71 pushad ; retn 0004h |
Source: C:\Users\user\Desktop\PEDIDO.exe | Code function: 0_2_020F1781 push ds; retf |
Source: C:\Users\user\Desktop\PEDIDO.exe | Code function: 0_2_020F27B0 pushfd ; iretd |
Source: C:\Users\user\Desktop\PEDIDO.exe | Code function: 0_2_020F09E3 push edi; iretd |
Source: C:\Users\user\Desktop\PEDIDO.exe | Code function: 0_2_020F0BF4 push edi; retf |
Source: C:\Users\user\Desktop\PEDIDO.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\PEDIDO.exe | RDTSC instruction interceptor: First address: 000000000040EFEE second address: 000000000040EFEE instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 lfence 0x00000006 popad 0x00000007 lfence 0x0000000a cmp ecx, 0000009Fh 0x00000010 dec edi 0x00000011 pushfd 0x00000012 popfd 0x00000013 wait 0x00000014 cmp edi, 00000000h 0x00000017 jne 00007FA2BC937948h 0x00000019 mfence 0x0000001c cmp eax, 000000C2h 0x00000021 pushad 0x00000022 cmp eax, 000000EEh 0x00000027 mfence 0x0000002a rdtsc |
Source: C:\Users\user\Desktop\PEDIDO.exe | RDTSC instruction interceptor: First address: 00000000020F6E7E second address: 00000000020F6E7E instructions: 0x00000000 rdtsc 0x00000002 mov eax, 5ECAEB07h 0x00000007 xor eax, E8969DE3h 0x0000000c xor eax, DEB35923h 0x00000011 add eax, 9710D03Ah 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FA2BCDE0628h 0x0000001e lfence 0x00000021 mov edx, 03C503D6h 0x00000026 xor edx, A24BC650h 0x0000002c sub edx, AA10D02Ch 0x00000032 xor edx, 8883F54Eh 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 cmp eax, 4C4E4F0Bh 0x00000046 pop ecx 0x00000047 add edi, edx 0x00000049 dec ecx 0x0000004a mov dword ptr [ebp+00000237h], EBF6D632h 0x00000054 xor dword ptr [ebp+00000237h], BEC846FDh 0x0000005e xor dword ptr [ebp+00000237h], 3DA10DDDh 0x00000068 add dword ptr [ebp+00000237h], 976062EEh 0x00000072 cmp ecx, dword ptr [ebp+00000237h] 0x00000078 jne 00007FA2BCDE0575h 0x0000007e mov dword ptr [ebp+00000245h], esi 0x00000084 mov esi, ecx 0x00000086 push esi 0x00000087 mov esi, dword ptr [ebp+00000245h] 0x0000008d jmp 00007FA2BCDE067Eh 0x0000008f test eax, ecx 0x00000091 call 00007FA2BCDE069Bh 0x00000096 call 00007FA2BCDE0649h 0x0000009b lfence 0x0000009e mov edx, 03C503D6h 0x000000a3 xor edx, A24BC650h 0x000000a9 sub edx, AA10D02Ch 0x000000af xor edx, 8883F54Eh 0x000000b5 mov edx, dword ptr [edx] 0x000000b7 lfence 0x000000ba ret 0x000000bb mov esi, edx 0x000000bd pushad 0x000000be rdtsc |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\PEDIDO.exe | Code function: 0_2_020F6E76 rdtsc |
Source: C:\Users\user\Desktop\PEDIDO.exe | Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\PEDIDO.exe | Code function: 0_2_020F9612 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\PEDIDO.exe | Code function: 0_2_020FA827 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\PEDIDO.exe | Code function: 0_2_020F6C6E mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\PEDIDO.exe | Code function: 0_2_020F9BB0 mov eax, dword ptr fs:[00000030h] |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\PEDIDO.exe | Code function: 0_2_020F6E76 rdtsc |
Source: PEDIDO.exe, 00000000.00000002.778371334.0000000000C60000.00000002.00020000.sdmp | Binary or memory string: uProgram Manager |
Source: PEDIDO.exe, 00000000.00000002.778371334.0000000000C60000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd |
Source: PEDIDO.exe, 00000000.00000002.778371334.0000000000C60000.00000002.00020000.sdmp | Binary or memory string: Progman |
Source: PEDIDO.exe, 00000000.00000002.778371334.0000000000C60000.00000002.00020000.sdmp | Binary or memory string: Progmanlock |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.