Source: Doc0011222003.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Doc0011222003.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Doc0011222003.exe, 00000000.00000002.826786525.0000000002A70000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameChalybes.exeFE2X vs Doc0011222003.exe |
Source: Doc0011222003.exe, 00000000.00000002.826786525.0000000002A70000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameChalybes.exeFE2XZ vs Doc0011222003.exe |
Source: Doc0011222003.exe, 00000000.00000002.826786525.0000000002A70000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameChalybes.exeFE2X3 vs Doc0011222003.exe |
Source: Doc0011222003.exe, 00000000.00000002.826786525.0000000002A70000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameChalybes.exeFE2X_ vs Doc0011222003.exe |
Source: Doc0011222003.exe, 00000000.00000002.826786525.0000000002A70000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameChalybes.exeFE2X0 vs Doc0011222003.exe |
Source: Doc0011222003.exe, 00000000.00000002.826040028.0000000000414000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameChalybes.exe vs Doc0011222003.exe |
Source: Doc0011222003.exe |
Binary or memory string: OriginalFilenameChalybes.exe vs Doc0011222003.exe |
Source: Doc0011222003.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: Doc0011222003.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\Doc0011222003.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\Doc0011222003.exe |
File created: C:\Users\user\AppData\Local\Temp\~DFC89CDF2998EDD482.TMP |
Jump to behavior |
Source: Doc0011222003.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Doc0011222003.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\Doc0011222003.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: classification engine |
Classification label: mal56.troj.evad.winEXE@1/1@0/0 |
Source: Yara match |
File source: 00000000.00000002.826048690.00000000004F0000.00000040.00000010.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\Doc0011222003.exe |
Code function: 0_2_00405840 push ds; ret |
0_2_00405842 |
Source: C:\Users\user\Desktop\Doc0011222003.exe |
Code function: 0_2_00409069 push edx; ret |
0_2_00409080 |
Source: C:\Users\user\Desktop\Doc0011222003.exe |
Code function: 0_2_0040415D push edx; retf |
0_2_00404169 |
Source: C:\Users\user\Desktop\Doc0011222003.exe |
Code function: 0_2_00405EB0 push cs; iretd |
0_2_00405EB1 |
Source: C:\Users\user\Desktop\Doc0011222003.exe |
Code function: 0_2_00403B17 push ebx; ret |
0_2_00403B23 |
Source: initial sample |
Static PE information: section name: .text entropy: 7.08459440381 |
Source: C:\Users\user\Desktop\Doc0011222003.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Doc0011222003.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Doc0011222003.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Doc0011222003.exe |
RDTSC instruction interceptor: First address: 00000000004F58CE second address: 00000000004F58CE instructions: 0x00000000 rdtsc 0x00000002 mov eax, F54B2F39h 0x00000007 sub eax, C70568A7h 0x0000000c add eax, FDF4D585h 0x00000011 add eax, D3C563EAh 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FA278D8C42Ah 0x0000001e lfence 0x00000021 mov edx, 605E9392h 0x00000026 xor edx, 1C4651DFh 0x0000002c xor edx, 7D6CD128h 0x00000032 xor edx, 7E8A1371h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 add edi, edx 0x00000044 dec ecx 0x00000045 mov dword ptr [ebp+00000247h], edi 0x0000004b mov edi, 063AD405h 0x00000050 add edi, 3BA48952h 0x00000056 xor edi, 5E34CBEDh 0x0000005c sub edi, 1FEB96BAh 0x00000062 test ah, dh 0x00000064 cmp ecx, edi 0x00000066 mov edi, dword ptr [ebp+00000247h] 0x0000006c jne 00007FA278D8C3E1h 0x0000006e mov dword ptr [ebp+000001EFh], ebx 0x00000074 mov ebx, ecx 0x00000076 push ebx 0x00000077 mov ebx, dword ptr [ebp+000001EFh] 0x0000007d call 00007FA278D8C4BCh 0x00000082 call 00007FA278D8C44Bh 0x00000087 lfence 0x0000008a mov edx, 605E9392h 0x0000008f xor edx, 1C4651DFh 0x00000095 xor edx, 7D6CD128h 0x0000009b xor edx, 7E8A1371h 0x000000a1 mov edx, dword ptr [edx] 0x000000a3 lfence 0x000000a6 ret 0x000000a7 mov esi, edx 0x000000a9 pushad 0x000000aa rdtsc |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Doc0011222003.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: Doc0011222003.exe, 00000000.00000002.826410137.0000000000D90000.00000002.00020000.sdmp |
Binary or memory string: Program Manager |
Source: Doc0011222003.exe, 00000000.00000002.826410137.0000000000D90000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: Doc0011222003.exe, 00000000.00000002.826410137.0000000000D90000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: Doc0011222003.exe, 00000000.00000002.826410137.0000000000D90000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |