Windows Analysis Report Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Overview

General Information

Sample Name: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe
Analysis ID: 528205
MD5: b2e24bc0f1f55f2ac9d8034098dfe32f
SHA1: 4a20778acf6d512792077dc339f23acfbdf22875
SHA256: d5ace58c68d1ff767b284deb172b5ce0550e96023a509a171fa7b34f0929b8e0
Tags: exesigned
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
GuLoader behavior detected
Yara detected GuLoader
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to detect Any.run
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Found potential dummy code loops (likely to delay analysis)
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
PE / OLE file has an invalid certificate
Contains functionality to call native functions
Creates processes with suspicious names
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000006.00000000.377067642.0000000000560000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?cid=7FA6B3"}
Multi AV Scanner detection for submitted file
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Virustotal: Detection: 39% Perma Link
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe ReversingLabs: Detection: 27%

Compliance:

barindex
Uses 32bit PE files
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://onedrive.live.com/download?cid=7FA6B3

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.520449768.00000000007AA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe
Source: initial sample Static PE information: Filename: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe
Executable has a suspicious name (potential lure to open the executable)
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Static file information: Suspicious name
Uses 32bit PE files
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000000.287520162.000000000041C000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameGRUDGEFULUNNOT.exe vs Hong Tak Engineering SB Payment Receipt 241121_PDF.exe
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Binary or memory string: OriginalFilenameGRUDGEFULUNNOT.exe vs Hong Tak Engineering SB Payment Receipt 241121_PDF.exe
PE file contains strange resources
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_00758863 1_2_00758863
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_00757824 1_2_00757824
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075D82A 1_2_0075D82A
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075FDCF 1_2_0075FDCF
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075B5A0 1_2_0075B5A0
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075D863 1_2_0075D863
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075F063 1_2_0075F063
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075E053 1_2_0075E053
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075F032 1_2_0075F032
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_00756820 1_2_00756820
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075D82C 1_2_0075D82C
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075481B 1_2_0075481B
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_007600F0 1_2_007600F0
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_007508F9 1_2_007508F9
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_007570DE 1_2_007570DE
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_007548C3 1_2_007548C3
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075D8CC 1_2_0075D8CC
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_007600C8 1_2_007600C8
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075D8BF 1_2_0075D8BF
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_00757093 1_2_00757093
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_00760083 1_2_00760083
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075E088 1_2_0075E088
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075E170 1_2_0075E170
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_00754967 1_2_00754967
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0076016B 1_2_0076016B
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075495D 1_2_0075495D
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_00750943 1_2_00750943
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_00760132 1_2_00760132
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_00754933 1_2_00754933
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075D903 1_2_0075D903
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075E10E 1_2_0075E10E
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_007541F7 1_2_007541F7
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_007511F3 1_2_007511F3
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075E1FF 1_2_0075E1FF
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_007541C0 1_2_007541C0
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_007601CF 1_2_007601CF
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_007511B1 1_2_007511B1
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075E1BB 1_2_0075E1BB
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_00760195 1_2_00760195
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075498F 1_2_0075498F
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_00751272 1_2_00751272
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075EA42 1_2_0075EA42
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_00760233 1_2_00760233
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075E22E 1_2_0075E22E
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075EA2B 1_2_0075EA2B
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075E2BE 1_2_0075E2BE
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075EABB 1_2_0075EABB
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075E287 1_2_0075E287
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075E369 1_2_0075E369
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075F342 1_2_0075F342
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075E333 1_2_0075E333
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075EB03 1_2_0075EB03
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075EBE3 1_2_0075EBE3
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075F3EF 1_2_0075F3EF
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075E3D2 1_2_0075E3D2
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075EBB3 1_2_0075EBB3
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075F3A9 1_2_0075F3A9
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075EC42 1_2_0075EC42
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075E428 1_2_0075E428
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075EC0F 1_2_0075EC0F
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075ECD3 1_2_0075ECD3
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075EC93 1_2_0075EC93
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075B48A 1_2_0075B48A
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075ED73 1_2_0075ED73
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075855D 1_2_0075855D
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075FDE7 1_2_0075FDE7
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075EDB8 1_2_0075EDB8
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075B5AB 1_2_0075B5AB
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075ED8A 1_2_0075ED8A
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_00751E67 1_2_00751E67
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_00751E5C 1_2_00751E5C
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075EE44 1_2_0075EE44
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075FE49 1_2_0075FE49
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075FE14 1_2_0075FE14
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075FEB3 1_2_0075FEB3
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_00757EA0 1_2_00757EA0
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075EEAF 1_2_0075EEAF
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075DF76 1_2_0075DF76
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075FF67 1_2_0075FF67
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075D76D 1_2_0075D76D
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075EF53 1_2_0075EF53
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075DF44 1_2_0075DF44
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_00756F34 1_2_00756F34
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075DF39 1_2_0075DF39
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075EF13 1_2_0075EF13
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075FF0F 1_2_0075FF0F
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_00756F0E 1_2_00756F0E
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_00756FF3 1_2_00756FF3
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_007547EF 1_2_007547EF
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075DFD0 1_2_0075DFD0
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_007567C6 1_2_007567C6
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075DFA4 1_2_0075DFA4
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_007567AF 1_2_007567AF
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075FF94 1_2_0075FF94
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075EF93 1_2_0075EF93
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_0056D82A 6_2_0056D82A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_0056FDCF 6_2_0056FDCF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_0056B5A0 6_2_0056B5A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_0056481B 6_2_0056481B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_0056F032 6_2_0056F032
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_00567824 6_2_00567824
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_00566820 6_2_00566820
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_005670DE 6_2_005670DE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_005648C3 6_2_005648C3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_005608F9 6_2_005608F9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_00567093 6_2_00567093
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_0056B48A 6_2_0056B48A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_00568556 6_2_00568556
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_0056495D 6_2_0056495D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_00560943 6_2_00560943
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_00564967 6_2_00564967
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_00564933 6_2_00564933
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_005641C0 6_2_005641C0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_005641F7 6_2_005641F7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_005611F3 6_2_005611F3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_0056498F 6_2_0056498F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_005611B1 6_2_005611B1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_0056B5AB 6_2_0056B5AB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_00561E5C 6_2_00561E5C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_00561272 6_2_00561272
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_00561E67 6_2_00561E67
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_0056EA2B 6_2_0056EA2B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_0056D76D 6_2_0056D76D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_00566F0E 6_2_00566F0E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_00566F34 6_2_00566F34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_005667C6 6_2_005667C6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_00566FF3 6_2_00566FF3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_005647EF 6_2_005647EF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_005667AF 6_2_005667AF
PE / OLE file has an invalid certificate
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Static PE information: invalid certificate
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_00758863 NtWriteVirtualMemory,Sleep, 1_2_00758863
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075D82A NtAllocateVirtualMemory, 1_2_0075D82A
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075F8E2 NtProtectVirtualMemory, 1_2_0075F8E2
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075F872 NtProtectVirtualMemory, 1_2_0075F872
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075887B NtWriteVirtualMemory, 1_2_0075887B
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075D863 NtAllocateVirtualMemory, 1_2_0075D863
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075D82C NtAllocateVirtualMemory, 1_2_0075D82C
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075D8CC NtAllocateVirtualMemory, 1_2_0075D8CC
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075D8BF NtAllocateVirtualMemory, 1_2_0075D8BF
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075F8A8 NtProtectVirtualMemory, 1_2_0075F8A8
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075896B NtWriteVirtualMemory, 1_2_0075896B
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075D93B NtAllocateVirtualMemory, 1_2_0075D93B
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075D903 NtAllocateVirtualMemory, 1_2_0075D903
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075D9E5 NtAllocateVirtualMemory, 1_2_0075D9E5
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075D9B2 NtAllocateVirtualMemory, 1_2_0075D9B2
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075D983 NtAllocateVirtualMemory, 1_2_0075D983
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075DA6A NtAllocateVirtualMemory, 1_2_0075DA6A
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075DA3B NtAllocateVirtualMemory, 1_2_0075DA3B
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075DAD3 NtAllocateVirtualMemory, 1_2_0075DAD3
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075DAA6 NtAllocateVirtualMemory, 1_2_0075DAA6
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075DB76 NtAllocateVirtualMemory, 1_2_0075DB76
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075DB38 NtAllocateVirtualMemory, 1_2_0075DB38
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075DB00 NtAllocateVirtualMemory, 1_2_0075DB00
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075DBC7 NtAllocateVirtualMemory, 1_2_0075DBC7
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075DC13 NtAllocateVirtualMemory, 1_2_0075DC13
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_0056F872 NtProtectVirtualMemory, 6_2_0056F872
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_0056D82A NtAllocateVirtualMemory, 6_2_0056D82A
Abnormal high CPU Usage
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process Stats: CPU usage > 98%
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Process Stats: CPU usage > 98%
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Virustotal: Detection: 39%
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe ReversingLabs: Detection: 27%
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe"
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe"
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe"
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe" Jump to behavior
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe" Jump to behavior
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe File created: C:\Users\user\AppData\Local\Temp\~DFEBA196672956C021.TMP Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@5/1@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.520378272.0000000000750000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.377067642.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.564225292.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_00407484 push 1002C579h; iretd 1_2_00407491
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_00404764 push esi; ret 1_2_0040488D
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075116B pushfd ; iretd 1_2_0075116C
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_00755A4B pushad ; retf 1_2_00755A4E
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075037F push ds; ret 1_2_00750516
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_007503BB push ds; ret 1_2_00750516
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_00750383 push ds; ret 1_2_00750516
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075046F push ds; ret 1_2_00750516
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075043F push ds; ret 1_2_00750516
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_00750403 push ds; ret 1_2_00750516
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_007504EC push ds; ret 1_2_00750516
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_00750CD1 push ds; ret 1_2_00750D73
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_00750CD3 push ds; ret 1_2_00750D73
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_007504A7 push ds; ret 1_2_00750516
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_007595F5 push es; iretd 1_2_00759615
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_00759605 push es; iretd 1_2_00759615
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075A7FF push cs; iretd 1_2_0075A806
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_0056046F push ds; ret 6_2_00560516
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_00560403 push ds; ret 6_2_00560516
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_0056043F push ds; ret 6_2_00560516
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_00560CD3 push ds; ret 6_2_00560D73
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_00560CD1 push ds; ret 6_2_00560D73
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_005604EC push ds; ret 6_2_00560516
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_005604A7 push ds; ret 6_2_00560516
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_0056116B pushfd ; iretd 6_2_0056116C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_005695F5 push es; iretd 6_2_00569615
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_00565A4B pushad ; retf 6_2_00565A4E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_00569605 push es; iretd 6_2_00569615
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_0056037F push ds; ret 6_2_00560516
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_0056A7FF push cs; iretd 6_2_0056A806
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_00560383 push ds; ret 6_2_00560516

Persistence and Installation Behavior:

barindex
Creates processes with suspicious names
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe File created: \hong tak engineering sb payment receipt 241121_pdf.exe
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe File created: \hong tak engineering sb payment receipt 241121_pdf.exe
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe File created: \hong tak engineering sb payment receipt 241121_pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe File created: \hong tak engineering sb payment receipt 241121_pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: ieinstal.exe, 00000006.00000002.564386334.0000000000D70000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WIN64; X64) APPLEWEBKIT/537.36 (KHTML, LIKE GECKO) CHROME/91.0.4472.124 SAFARI/537.36SHELL32ADVAPI32TEMP=
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.520996387.00000000030E0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WIN64; X64) APPLEWEBKIT/537.36 (KHTML, LIKE GECKO) CHROME/91.0.4472.124 SAFARI/537.36SHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLLPROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLL
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.520996387.00000000030E0000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.564386334.0000000000D70000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_00754123 rdtsc 1_2_00754123
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe System information queried: ModuleInformation Jump to behavior
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.521048300.00000000031AA000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.564969808.000000000435A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.521048300.00000000031AA000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.564969808.000000000435A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: ieinstal.exe, 00000006.00000002.564969808.000000000435A000.00000004.00000001.sdmp Binary or memory string: vmicshutdown
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.521048300.00000000031AA000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.564969808.000000000435A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.521048300.00000000031AA000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.564969808.000000000435A000.00000004.00000001.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.521048300.00000000031AA000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.564969808.000000000435A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: ieinstal.exe, 00000006.00000002.564386334.0000000000D70000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36shell32advapi32TEMP=
Source: ieinstal.exe, 00000006.00000002.564969808.000000000435A000.00000004.00000001.sdmp Binary or memory string: vmicvss
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.520996387.00000000030E0000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.564386334.0000000000D70000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.521048300.00000000031AA000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.564969808.000000000435A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.521048300.00000000031AA000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.564969808.000000000435A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.521048300.00000000031AA000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.564969808.000000000435A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.520996387.00000000030E0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36shell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dllProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dll
Source: ieinstal.exe, 00000006.00000002.564969808.000000000435A000.00000004.00000001.sdmp Binary or memory string: vmicheartbeat

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread information set: HideFromDebugger Jump to behavior
Found potential dummy code loops (likely to delay analysis)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_00759889 mov eax, dword ptr fs:[00000030h] 1_2_00759889
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075D108 mov eax, dword ptr fs:[00000030h] 1_2_0075D108
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075EA42 mov eax, dword ptr fs:[00000030h] 1_2_0075EA42
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075EA2B mov eax, dword ptr fs:[00000030h] 1_2_0075EA2B
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075C345 mov eax, dword ptr fs:[00000030h] 1_2_0075C345
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_00569889 mov eax, dword ptr fs:[00000030h] 6_2_00569889
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_0056D108 mov eax, dword ptr fs:[00000030h] 6_2_0056D108
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_0056EA2B mov eax, dword ptr fs:[00000030h] 6_2_0056EA2B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_0056C345 mov eax, dword ptr fs:[00000030h] 6_2_0056C345
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_00754123 rdtsc 1_2_00754123
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 1_2_0075AD16 LdrInitializeThunk, 1_2_0075AD16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 6_2_0056FDCF RtlAddVectoredExceptionHandler, 6_2_0056FDCF

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 560000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe" Jump to behavior
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe" Jump to behavior
Source: ieinstal.exe, 00000006.00000002.564837081.0000000002F00000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: ieinstal.exe, 00000006.00000002.564837081.0000000002F00000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: ieinstal.exe, 00000006.00000002.564837081.0000000002F00000.00000002.00020000.sdmp Binary or memory string: Progman
Source: ieinstal.exe, 00000006.00000002.564837081.0000000002F00000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Stealing of Sensitive Information:

barindex
GuLoader behavior detected
Source: Initial file Signature Results: GuLoader behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 528205 Sample: Hong Tak Engineering SB Pay... Startdate: 24/11/2021 Architecture: WINDOWS Score: 100 14 Found malware configuration 2->14 16 Multi AV Scanner detection for submitted file 2->16 18 GuLoader behavior detected 2->18 20 6 other signatures 2->20 6 Hong Tak Engineering SB Payment Receipt 241121_PDF.exe 1 2->6         started        process3 signatures4 22 Writes to foreign memory regions 6->22 24 Tries to detect Any.run 6->24 26 Hides threads from debuggers 6->26 9 ieinstal.exe 6->9         started        12 ieinstal.exe 6->12         started        process5 signatures6 28 Tries to detect Any.run 9->28 30 Hides threads from debuggers 9->30
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://onedrive.live.com/download?cid=7FA6B3 false
    		high