Windows Analysis Report Doc0011222003.exe

Overview

General Information

Sample Name: Doc0011222003.exe
Analysis ID: 527215
MD5: e70022c5636db76b71c8b2c56552c60c
SHA1: 4589b37f02bb95d26bb2ba369c46c99268ce2985
SHA256: 0226b26f82ea7ab25ad85a4cfda530f7b28f91b1d57f8ca0361b7b03e8ce59bb
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected GuLoader
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Program does not show much activity (idle)
Uses code obfuscation techniques (call, push, ret)
Abnormal high CPU Usage

Classification

Compliance:

barindex
Uses 32bit PE files
Source: Doc0011222003.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

barindex
Uses 32bit PE files
Source: Doc0011222003.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: Doc0011222003.exe, 00000000.00000002.826786525.0000000002A70000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameChalybes.exeFE2X vs Doc0011222003.exe
Source: Doc0011222003.exe, 00000000.00000002.826786525.0000000002A70000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameChalybes.exeFE2XZ vs Doc0011222003.exe
Source: Doc0011222003.exe, 00000000.00000002.826786525.0000000002A70000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameChalybes.exeFE2X3 vs Doc0011222003.exe
Source: Doc0011222003.exe, 00000000.00000002.826786525.0000000002A70000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameChalybes.exeFE2X_ vs Doc0011222003.exe
Source: Doc0011222003.exe, 00000000.00000002.826786525.0000000002A70000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameChalybes.exeFE2X0 vs Doc0011222003.exe
Source: Doc0011222003.exe, 00000000.00000002.826040028.0000000000414000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameChalybes.exe vs Doc0011222003.exe
Source: Doc0011222003.exe Binary or memory string: OriginalFilenameChalybes.exe vs Doc0011222003.exe
PE file contains strange resources
Source: Doc0011222003.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Doc0011222003.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Doc0011222003.exe Process Stats: CPU usage > 98%
Source: C:\Users\user\Desktop\Doc0011222003.exe File created: C:\Users\user\AppData\Local\Temp\~DFC89CDF2998EDD482.TMP Jump to behavior
Source: Doc0011222003.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Doc0011222003.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Doc0011222003.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: classification engine Classification label: mal56.troj.evad.winEXE@1/1@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.826048690.00000000004F0000.00000040.00000010.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Doc0011222003.exe Code function: 0_2_00405840 push ds; ret 0_2_00405842
Source: C:\Users\user\Desktop\Doc0011222003.exe Code function: 0_2_00409069 push edx; ret 0_2_00409080
Source: C:\Users\user\Desktop\Doc0011222003.exe Code function: 0_2_0040415D push edx; retf 0_2_00404169
Source: C:\Users\user\Desktop\Doc0011222003.exe Code function: 0_2_00405EB0 push cs; iretd 0_2_00405EB1
Source: C:\Users\user\Desktop\Doc0011222003.exe Code function: 0_2_00403B17 push ebx; ret 0_2_00403B23
Source: initial sample Static PE information: section name: .text entropy: 7.08459440381
Source: C:\Users\user\Desktop\Doc0011222003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc0011222003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc0011222003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Doc0011222003.exe RDTSC instruction interceptor: First address: 00000000004F58CE second address: 00000000004F58CE instructions: 0x00000000 rdtsc 0x00000002 mov eax, F54B2F39h 0x00000007 sub eax, C70568A7h 0x0000000c add eax, FDF4D585h 0x00000011 add eax, D3C563EAh 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FA278D8C42Ah 0x0000001e lfence 0x00000021 mov edx, 605E9392h 0x00000026 xor edx, 1C4651DFh 0x0000002c xor edx, 7D6CD128h 0x00000032 xor edx, 7E8A1371h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 add edi, edx 0x00000044 dec ecx 0x00000045 mov dword ptr [ebp+00000247h], edi 0x0000004b mov edi, 063AD405h 0x00000050 add edi, 3BA48952h 0x00000056 xor edi, 5E34CBEDh 0x0000005c sub edi, 1FEB96BAh 0x00000062 test ah, dh 0x00000064 cmp ecx, edi 0x00000066 mov edi, dword ptr [ebp+00000247h] 0x0000006c jne 00007FA278D8C3E1h 0x0000006e mov dword ptr [ebp+000001EFh], ebx 0x00000074 mov ebx, ecx 0x00000076 push ebx 0x00000077 mov ebx, dword ptr [ebp+000001EFh] 0x0000007d call 00007FA278D8C4BCh 0x00000082 call 00007FA278D8C44Bh 0x00000087 lfence 0x0000008a mov edx, 605E9392h 0x0000008f xor edx, 1C4651DFh 0x00000095 xor edx, 7D6CD128h 0x0000009b xor edx, 7E8A1371h 0x000000a1 mov edx, dword ptr [edx] 0x000000a3 lfence 0x000000a6 ret 0x000000a7 mov esi, edx 0x000000a9 pushad 0x000000aa rdtsc
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\Doc0011222003.exe Process Stats: CPU usage > 90% for more than 60s
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: Doc0011222003.exe, 00000000.00000002.826410137.0000000000D90000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: Doc0011222003.exe, 00000000.00000002.826410137.0000000000D90000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Doc0011222003.exe, 00000000.00000002.826410137.0000000000D90000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Doc0011222003.exe, 00000000.00000002.826410137.0000000000D90000.00000002.00020000.sdmp Binary or memory string: Progmanlock
No contacted IP infos