Source: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downlo_"} |
Source: n#U00ba410000512664.exe |
Joe Sandbox ML: detected |
Source: n#U00ba410000512664.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://drive.google.com/uc?export=downlo_ |
Source: n#U00ba410000512664.exe |
String found in binary or memory: http://topqualityfreeware.com |
Source: n#U00ba410000512664.exe |
String found in binary or memory: http://www.topqualityfreeware.com/ |
Source: n#U00ba410000512664.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: n#U00ba410000512664.exe, 00000000.00000000.252485383.0000000000426000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameObumbration1.exe vs n#U00ba410000512664.exe |
Source: n#U00ba410000512664.exe |
Binary or memory string: OriginalFilenameObumbration1.exe vs n#U00ba410000512664.exe |
Source: n#U00ba410000512664.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: n#U00ba410000512664.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_004090A6 |
0_2_004090A6 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_02206B59 |
0_2_02206B59 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021FE22D |
0_2_021FE22D |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021F9E78 |
0_2_021F9E78 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021F9AAB |
0_2_021F9AAB |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021F92A8 |
0_2_021F92A8 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021FAADB |
0_2_021FAADB |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021FAED8 |
0_2_021FAED8 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_02204AF5 |
0_2_02204AF5 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021F9314 |
0_2_021F9314 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021F0B33 |
0_2_021F0B33 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021FA320 |
0_2_021FA320 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021FA75D |
0_2_021FA75D |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021FA364 |
0_2_021FA364 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021F9FAC |
0_2_021F9FAC |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021F9BD3 |
0_2_021F9BD3 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021F9836 |
0_2_021F9836 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021FAC2E |
0_2_021FAC2E |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021F9858 |
0_2_021F9858 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021FB044 |
0_2_021FB044 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021FA878 |
0_2_021FA878 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021FD4B3 |
0_2_021FD4B3 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021FA4CC |
0_2_021FA4CC |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021FA0EF |
0_2_021FA0EF |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_02202D07 |
0_2_02202D07 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021F9950 |
0_2_021F9950 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021F9D50 |
0_2_021F9D50 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021FAD6F |
0_2_021FAD6F |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021FB186 |
0_2_021FB186 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021FA9B7 |
0_2_021FA9B7 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
File created: C:\Users\user\AppData\Local\Temp\~DFE27628A3FBE5D858.TMP |
Jump to behavior |
Source: n#U00ba410000512664.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: classification engine |
Classification label: mal68.troj.evad.winEXE@1/1@0/0 |
Source: Yara match |
File source: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_00404401 pushfd ; retf |
0_2_0040441E |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_00403826 push es; ret |
0_2_00403828 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_004044E5 pushfd ; retf |
0_2_004044E6 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_00404584 pushfd ; retf |
0_2_00404596 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_00404599 pushfd ; retf |
0_2_004045AA |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_004051BE push dword ptr [esi]; iretd |
0_2_004051C5 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_0040665D pushfd ; retf |
0_2_0040665E |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_00404279 pushfd ; retf |
0_2_0040427A |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_004062C1 pushfd ; retf |
0_2_004062C2 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_004072E1 pushfd ; retf |
0_2_0040730E |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_004096FC push eax; iretd |
0_2_004096FF |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_00404349 pushfd ; retf |
0_2_0040434A |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_00404335 pushfd ; retf |
0_2_00404346 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_0040633D pushfd ; retf |
0_2_0040634A |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_004067DE pushfd ; retf |
0_2_004067E6 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_0040A784 push 18165C0Eh; iretd |
0_2_0040A789 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021F423B push 81528D88h; ret |
0_2_021F4240 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021F2644 push ss; retf |
0_2_021F2645 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021F6E73 push E8000002h; retf |
0_2_021F6E78 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021F5ECB push edi; ret |
0_2_021F5EC2 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021F0EF4 push eax; retf |
0_2_021F0F07 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021F5C22 push edi; ret |
0_2_021F5EC2 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021F1447 push ds; ret |
0_2_021F1449 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021F48A7 pushfd ; ret |
0_2_021F4A0D |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021F491D pushfd ; ret |
0_2_021F4A0D |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021F191A push ebx; retf |
0_2_021F1920 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021F4924 pushfd ; ret |
0_2_021F4A0D |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021F5DDC push edi; ret |
0_2_021F5EC2 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021F5DC1 push edi; ret |
0_2_021F5EC2 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021FCAA8 rdtsc |
0_2_021FCAA8 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021FC664 mov eax, dword ptr fs:[00000030h] |
0_2_021FC664 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_022032C9 mov eax, dword ptr fs:[00000030h] |
0_2_022032C9 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021F8730 mov eax, dword ptr fs:[00000030h] |
0_2_021F8730 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_0220286B mov eax, dword ptr fs:[00000030h] |
0_2_0220286B |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_021FCAA8 rdtsc |
0_2_021FCAA8 |
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe |
Code function: 0_2_02206B59 RtlAddVectoredExceptionHandler, |
0_2_02206B59 |
Source: n#U00ba410000512664.exe, 00000000.00000002.781493325.0000000000C70000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: n#U00ba410000512664.exe, 00000000.00000002.781493325.0000000000C70000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: n#U00ba410000512664.exe, 00000000.00000002.781493325.0000000000C70000.00000002.00020000.sdmp |
Binary or memory string: SProgram Managerl |
Source: n#U00ba410000512664.exe, 00000000.00000002.781493325.0000000000C70000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd, |
Source: n#U00ba410000512664.exe, 00000000.00000002.781493325.0000000000C70000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |