Source: 00000001.00000002.821817884.00000000020F0000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downloads;R"} |
Source: Sales Order List.exe |
ReversingLabs: Detection: 40% |
Source: Sales Order List.exe |
Joe Sandbox ML: detected |
Source: Sales Order List.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://drive.google.com/uc?export=downloads;R |
Source: Sales Order List.exe |
String found in binary or memory: http://topqualityfreeware.com |
Source: Sales Order List.exe |
String found in binary or memory: http://www.topqualityfreeware.com/ |
Source: initial sample |
Static PE information: Filename: Sales Order List.exe |
Source: Sales Order List.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Sales Order List.exe, 00000001.00000002.821587077.0000000000426000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameBandies.exe vs Sales Order List.exe |
Source: Sales Order List.exe |
Binary or memory string: OriginalFilenameBandies.exe vs Sales Order List.exe |
Source: Sales Order List.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: Sales Order List.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_02106B37 |
1_2_02106B37 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_020FDBA3 |
1_2_020FDBA3 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_020F4279 |
1_2_020F4279 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_020FE295 |
1_2_020FE295 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_020F42A5 |
1_2_020F42A5 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_020F12D4 |
1_2_020F12D4 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_02104F00 |
1_2_02104F00 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_02102B30 |
1_2_02102B30 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_020FDBDF |
1_2_020FDBDF |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_020F3FD5 |
1_2_020F3FD5 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_020F9FE8 |
1_2_020F9FE8 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_020FD01F |
1_2_020FD01F |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_02103D63 |
1_2_02103D63 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_02104993 |
1_2_02104993 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_020FD5FC |
1_2_020FD5FC |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_020FDBA3 NtAllocateVirtualMemory, |
1_2_020FDBA3 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_020FDBDF NtAllocateVirtualMemory, |
1_2_020FDBDF |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Process Stats: CPU usage > 98% |
Source: Sales Order List.exe |
ReversingLabs: Detection: 40% |
Source: Sales Order List.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Sales Order List.exe |
File created: C:\Users\user\AppData\Local\Temp\~DF904D784913DB7A54.TMP |
Jump to behavior |
Source: classification engine |
Classification label: mal84.troj.evad.winEXE@1/1@0/0 |
Source: Yara match |
File source: 00000001.00000002.821817884.00000000020F0000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_00404402 pushfd ; retf |
1_2_0040441F |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_00403827 push es; ret |
1_2_00403829 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_004044E6 pushfd ; retf |
1_2_004044E7 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_0040A880 pushfd ; ret |
1_2_0040A894 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_0040A101 push edx; retf |
1_2_0040A10A |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_00404585 pushfd ; retf |
1_2_00404597 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_0040459A pushfd ; retf |
1_2_004045AB |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_004051BF push dword ptr [esi]; iretd |
1_2_004051C6 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_0040665E pushfd ; retf |
1_2_0040665F |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_0040427A pushfd ; retf |
1_2_0040427B |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_004062C2 pushfd ; retf |
1_2_004062C3 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_0040A6C2 push ebx; retf |
1_2_0040A6CA |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_004072E2 pushfd ; retf |
1_2_0040730F |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_0040434A pushfd ; retf |
1_2_0040434B |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_00404336 pushfd ; retf |
1_2_00404347 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_0040633E pushfd ; retf |
1_2_0040634B |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_004067DF pushfd ; retf |
1_2_004067E7 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_020F3FD5 push ebp; retf 67B7h |
1_2_020F5122 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_020F5FF4 push esp; iretd |
1_2_020F5FF5 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_020F0012 push AE35C959h; retf |
1_2_020F001E |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_020F6479 push esp; iretd |
1_2_020F66CA |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_020F24F2 push 812B1A06h; ret |
1_2_020F24FD |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_020F6573 push esp; iretd |
1_2_020F66CA |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_020F7198 pushad ; retf |
1_2_020F7199 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Sales Order List.exe |
RDTSC instruction interceptor: First address: 00000000021038C0 second address: 00000000021038C0 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 5F6A47EFh 0x00000007 xor eax, 22268717h 0x0000000c xor eax, 5FCDF500h 0x00000011 sub eax, 228135F7h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F1730B5F5D7h 0x0000001e lfence 0x00000021 mov edx, 87FFB988h 0x00000026 xor edx, 8DA6BE96h 0x0000002c add edx, 16C465BAh 0x00000032 xor edx, 5EE36CCCh 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d test ah, ah 0x0000003f cmp dx, 744Ch 0x00000044 cmp ch, ah 0x00000046 test edx, edx 0x00000048 ret 0x00000049 sub edx, esi 0x0000004b ret 0x0000004c cmp ecx, ebx 0x0000004e add edi, edx 0x00000050 dec dword ptr [ebp+000000F8h] 0x00000056 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000005d jne 00007F1730B5F4EAh 0x0000005f call 00007F1730B5F61Ch 0x00000064 call 00007F1730B5F5F8h 0x00000069 lfence 0x0000006c mov edx, 87FFB988h 0x00000071 xor edx, 8DA6BE96h 0x00000077 add edx, 16C465BAh 0x0000007d xor edx, 5EE36CCCh 0x00000083 mov edx, dword ptr [edx] 0x00000085 lfence 0x00000088 test ah, ah 0x0000008a cmp dx, 744Ch 0x0000008f cmp ch, ah 0x00000091 test edx, edx 0x00000093 ret 0x00000094 mov esi, edx 0x00000096 pushad 0x00000097 rdtsc |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_02103AA0 rdtsc |
1_2_02103AA0 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_02102200 mov eax, dword ptr fs:[00000030h] |
1_2_02102200 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_020FD2AD mov eax, dword ptr fs:[00000030h] |
1_2_020FD2AD |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_02104F00 mov eax, dword ptr fs:[00000030h] |
1_2_02104F00 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_02102DB4 mov eax, dword ptr fs:[00000030h] |
1_2_02102DB4 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_02103AA0 rdtsc |
1_2_02103AA0 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 1_2_02106B37 RtlAddVectoredExceptionHandler, |
1_2_02106B37 |
Source: Sales Order List.exe, 00000001.00000002.821708707.0000000000C50000.00000002.00020000.sdmp |
Binary or memory string: Program Manager |
Source: Sales Order List.exe, 00000001.00000002.821708707.0000000000C50000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: Sales Order List.exe, 00000001.00000002.821708707.0000000000C50000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: Sales Order List.exe, 00000001.00000002.821708707.0000000000C50000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |