Windows Analysis Report exe.exe

Overview

General Information

Sample Name: exe.exe
Analysis ID: 528196
MD5: ccdf9de19a42d303579dfcc11f846bcb
SHA1: 413b2f4c1cc4f242d50bd95faa7ca85bcbcfbdef
SHA256: 0a2a2c18fa708a33573b788860a4911e6d6d6fd3ddf8cacdddf4d9d100ca562d
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
PE file contains executable resources (Code or Archives)
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.935818125.00000000002C0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download"}
Multi AV Scanner detection for submitted file
Source: exe.exe Virustotal: Detection: 20% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: exe.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download

System Summary:

barindex
Uses 32bit PE files
Source: exe.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: exe.exe, 00000000.00000002.935857300.0000000000420000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamenaturforholdene.exe vs exe.exe
Source: exe.exe Binary or memory string: OriginalFilenamenaturforholdene.exe vs exe.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\exe.exe Section loaded: sxs.dll Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\exe.exe Code function: 0_2_0040153C 0_2_0040153C
Source: C:\Users\user\Desktop\exe.exe Code function: 0_2_00401778 0_2_00401778
Source: C:\Users\user\Desktop\exe.exe Code function: 0_2_0040172B 0_2_0040172B
Source: C:\Users\user\Desktop\exe.exe Code function: 0_2_002D6C38 0_2_002D6C38
Source: C:\Users\user\Desktop\exe.exe Code function: 0_2_002CD95C 0_2_002CD95C
Source: C:\Users\user\Desktop\exe.exe Code function: 0_2_002C1439 0_2_002C1439
Source: C:\Users\user\Desktop\exe.exe Code function: 0_2_002CE454 0_2_002CE454
Source: C:\Users\user\Desktop\exe.exe Code function: 0_2_002D44EE 0_2_002D44EE
Source: C:\Users\user\Desktop\exe.exe Code function: 0_2_002CCCFE 0_2_002CCCFE
Source: C:\Users\user\Desktop\exe.exe Code function: 0_2_002D4CD4 0_2_002D4CD4
Source: C:\Users\user\Desktop\exe.exe Code function: 0_2_002C1144 0_2_002C1144
Source: C:\Users\user\Desktop\exe.exe Code function: 0_2_002CD5A8 0_2_002CD5A8
Contains functionality to call native functions
Source: C:\Users\user\Desktop\exe.exe Code function: 0_2_002CD95C NtAllocateVirtualMemory, 0_2_002CD95C
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\Desktop\exe.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\exe.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
PE file contains executable resources (Code or Archives)
Source: exe.exe Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\exe.exe Process Stats: CPU usage > 98%
Source: exe.exe Virustotal: Detection: 20%
Source: exe.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\exe.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\exe.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\exe.exe File created: C:\Users\user\AppData\Local\Temp\~DF56168A067CC46460.TMP Jump to behavior
Source: classification engine Classification label: mal76.troj.evad.winEXE@1/1@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.935818125.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\exe.exe Code function: 0_2_0040443B push ds; iretd 0_2_0040443C
Source: C:\Users\user\Desktop\exe.exe Code function: 0_2_00412CE9 pushfd ; iretd 0_2_00412CEF
Source: C:\Users\user\Desktop\exe.exe Code function: 0_2_004078BA push esp; ret 0_2_004078C0
Source: C:\Users\user\Desktop\exe.exe Code function: 0_2_00408951 push esi; iretd 0_2_0040895C
Source: C:\Users\user\Desktop\exe.exe Code function: 0_2_0040A585 push edi; ret 0_2_0040A587
Source: C:\Users\user\Desktop\exe.exe Code function: 0_2_002C3C7D push cs; retf 0_2_002C3C7E
Source: C:\Users\user\Desktop\exe.exe Code function: 0_2_002C1F2E push esi; retf 0_2_002C1F31
Source: C:\Users\user\Desktop\exe.exe Code function: 0_2_002C3720 push 00E981C1h; iretd 0_2_002C3725
Source: C:\Users\user\Desktop\exe.exe Code function: 0_2_002C2B1E push ecx; ret 0_2_002C2B45
Source: C:\Users\user\Desktop\exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\exe.exe RDTSC instruction interceptor: First address: 00000000002CCB31 second address: 00000000002CCB31 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 2948E649h 0x00000007 xor eax, EC82DA16h 0x0000000c xor eax, 4667AFFBh 0x00000011 xor eax, 83AD93A5h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FB0E10DF5ADh 0x0000001e lfence 0x00000021 mov edx, A0C7F784h 0x00000026 sub edx, AABF78E8h 0x0000002c xor edx, 1F5F6D33h 0x00000032 xor edx, 96A913BBh 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 add edi, edx 0x00000044 test cl, 0000005Eh 0x00000047 dec ecx 0x00000048 mov dword ptr [ebp+00000215h], edx 0x0000004e mov edx, D915E9E9h 0x00000053 add edx, F5E97DD3h 0x00000059 xor edx, 8364302Bh 0x0000005f sub edx, 4D9B5797h 0x00000065 jmp 00007FB0E10DF5B5h 0x0000006a test dl, cl 0x0000006c cmp ecx, edx 0x0000006e mov edx, dword ptr [ebp+00000215h] 0x00000074 jne 00007FB0E10DF3C9h 0x0000007a mov dword ptr [ebp+000001C7h], esi 0x00000080 mov esi, ecx 0x00000082 push esi 0x00000083 mov esi, dword ptr [ebp+000001C7h] 0x00000089 call 00007FB0E10DF628h 0x0000008e call 00007FB0E10DF5CEh 0x00000093 lfence 0x00000096 mov edx, A0C7F784h 0x0000009b sub edx, AABF78E8h 0x000000a1 xor edx, 1F5F6D33h 0x000000a7 xor edx, 96A913BBh 0x000000ad mov edx, dword ptr [edx] 0x000000af lfence 0x000000b2 ret 0x000000b3 mov esi, edx 0x000000b5 pushad 0x000000b6 rdtsc
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\exe.exe Code function: 0_2_002CD230 rdtsc 0_2_002CD230

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\exe.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\exe.exe Code function: 0_2_002D29ED mov eax, dword ptr fs:[00000030h] 0_2_002D29ED
Source: C:\Users\user\Desktop\exe.exe Code function: 0_2_002D33A4 mov eax, dword ptr fs:[00000030h] 0_2_002D33A4
Source: C:\Users\user\Desktop\exe.exe Code function: 0_2_002CC7A0 mov eax, dword ptr fs:[00000030h] 0_2_002CC7A0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\exe.exe Code function: 0_2_002CD230 rdtsc 0_2_002CD230
Source: C:\Users\user\Desktop\exe.exe Code function: 0_2_002D6C38 RtlAddVectoredExceptionHandler, 0_2_002D6C38
Source: exe.exe, 00000000.00000002.936131711.00000000009A0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: exe.exe, 00000000.00000002.936131711.00000000009A0000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: exe.exe, 00000000.00000002.936131711.00000000009A0000.00000002.00020000.sdmp Binary or memory string: Program Manager<
Source: C:\Users\user\Desktop\exe.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 528196 Sample: exe.exe Startdate: 24/11/2021 Architecture: WINDOWS Score: 76 8 Found malware configuration 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected GuLoader 2->12 14 C2 URLs / IPs found in malware configuration 2->14 5 exe.exe 1 2->5         started        process3 signatures4 16 Found potential dummy code loops (likely to delay analysis) 5->16 18 Tries to detect virtualization through RDTSC time measurements 5->18
No contacted IP infos