Source: 00000000.00000002.820204862.00000000020D0000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id="} |
Source: FACTURAS.exe |
ReversingLabs: Detection: 15% |
Source: FACTURAS.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://drive.google.com/uc?export=download&id= |
Source: FACTURAS.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_020DDD75 NtAllocateVirtualMemory, |
0_2_020DDD75 |
Source: FACTURAS.exe, 00000000.00000000.294184122.0000000000421000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameGILDER.exe vs FACTURAS.exe |
Source: FACTURAS.exe |
Binary or memory string: OriginalFilenameGILDER.exe vs FACTURAS.exe |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_004036BD |
0_2_004036BD |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_00401538 |
0_2_00401538 |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_00401774 |
0_2_00401774 |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_00401727 |
0_2_00401727 |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_020E6E65 |
0_2_020E6E65 |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_020DDD75 |
0_2_020DDD75 |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_020D924D |
0_2_020D924D |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_020D924F |
0_2_020D924F |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_020D9331 |
0_2_020D9331 |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_020E5138 |
0_2_020E5138 |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_020D9691 |
0_2_020D9691 |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_020DD7F6 |
0_2_020DD7F6 |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_020D94E5 |
0_2_020D94E5 |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_020D95CD |
0_2_020D95CD |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_020E45C5 |
0_2_020E45C5 |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_020E3A47 |
0_2_020E3A47 |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_020DCFA2 |
0_2_020DCFA2 |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_020E4CA7 |
0_2_020E4CA7 |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_020E4DD5 |
0_2_020E4DD5 |
Source: FACTURAS.exe |
ReversingLabs: Detection: 15% |
Source: C:\Users\user\Desktop\FACTURAS.exe |
File created: C:\Users\user\AppData\Local\Temp\~DF26AA5308F7227456.TMP |
Jump to behavior |
Source: FACTURAS.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: classification engine |
Classification label: mal72.troj.evad.winEXE@1/1@0/0 |
Source: Yara match |
File source: 00000000.00000002.820204862.00000000020D0000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_004013B4 push FFFFFFCDh; iretd |
0_2_0040140C |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_0040204F push FFFFFFCDh; iretd |
0_2_0040206F |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_004111C3 push ebp; ret |
0_2_00411288 |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_004051D5 push 0340104Fh; iretd |
0_2_004051DB |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_00403A4A push esi; retf |
0_2_00403A4B |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_00402B0E push FFFFFFCDh; iretd |
0_2_00402D9B |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_00404C1F push eax; ret |
0_2_00404C39 |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_0040BCD6 push 3CF881B8h; ret |
0_2_0040BD03 |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_00413574 push 00000039h; iretd |
0_2_00413578 |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_0040A61E push D9EC50BBh; retf |
0_2_0040A62B |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_0040A739 push cs; iretd |
0_2_0040A73A |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_020DE3B0 pushad ; retf |
0_2_020DFF57 |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_020D17FB push cs; ret |
0_2_020D17FC |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_020D4AE0 push ebp; retf |
0_2_020D4AE1 |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_020D5860 push esp; retn 0004h |
0_2_020D5992 |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_020D0E32 pushfd ; iretd |
0_2_020D0E3C |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_020D5F76 push eax; iretd |
0_2_020D5F8B |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_020D5FC1 push eax; iretd |
0_2_020D5F8B |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_020D4C41 push ebp; ret |
0_2_020D4C42 |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_0041724F rdtsc |
0_2_0041724F |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_020E5138 mov eax, dword ptr fs:[00000030h] |
0_2_020E5138 |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_020E3589 mov eax, dword ptr fs:[00000030h] |
0_2_020E3589 |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_020D8A51 mov eax, dword ptr fs:[00000030h] |
0_2_020D8A51 |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_020DC9F2 mov eax, dword ptr fs:[00000030h] |
0_2_020DC9F2 |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_020E2C97 mov eax, dword ptr fs:[00000030h] |
0_2_020E2C97 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_0041724F rdtsc |
0_2_0041724F |
Source: C:\Users\user\Desktop\FACTURAS.exe |
Code function: 0_2_020E6E65 RtlAddVectoredExceptionHandler, |
0_2_020E6E65 |
Source: FACTURAS.exe, 00000000.00000002.820123754.0000000000C40000.00000002.00020000.sdmp |
Binary or memory string: Program Manager |
Source: FACTURAS.exe, 00000000.00000002.820123754.0000000000C40000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: FACTURAS.exe, 00000000.00000002.820123754.0000000000C40000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: FACTURAS.exe, 00000000.00000002.820123754.0000000000C40000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |