Loading ...

Play interactive tourEdit tour

Windows Analysis Report Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Overview

General Information

Sample Name:Hong Tak Engineering SB Payment Receipt 241121_PDF.exe
Analysis ID:528205
MD5:b2e24bc0f1f55f2ac9d8034098dfe32f
SHA1:4a20778acf6d512792077dc339f23acfbdf22875
SHA256:d5ace58c68d1ff767b284deb172b5ce0550e96023a509a171fa7b34f0929b8e0
Tags:exesigned
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
GuLoader behavior detected
Yara detected GuLoader
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to detect Any.run
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Found potential dummy code loops (likely to delay analysis)
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
PE / OLE file has an invalid certificate
Contains functionality to call native functions
Creates processes with suspicious names
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • Hong Tak Engineering SB Payment Receipt 241121_PDF.exe (PID: 6132 cmdline: "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe" MD5: B2E24BC0F1F55F2AC9D8034098DFE32F)
    • ieinstal.exe (PID: 6676 cmdline: "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe" MD5: DAD17AB737E680C47C8A44CBB95EE67E)
    • ieinstal.exe (PID: 672 cmdline: "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe" MD5: DAD17AB737E680C47C8A44CBB95EE67E)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://onedrive.live.com/download?cid=7FA6B3"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.520378272.0000000000750000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000006.00000000.377067642.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      00000006.00000002.564225292.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

        Sigma Overview

        No Sigma rule has matched

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000006.00000000.377067642.0000000000560000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?cid=7FA6B3"}
        Multi AV Scanner detection for submitted fileShow sources
        Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exeVirustotal: Detection: 39%Perma Link
        Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exeReversingLabs: Detection: 27%
        Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: https://onedrive.live.com/download?cid=7FA6B3
        Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.520449768.00000000007AA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

        System Summary:

        barindex
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe
        Source: initial sampleStatic PE information: Filename: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe
        Executable has a suspicious name (potential lure to open the executable)Show sources
        Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exeStatic file information: Suspicious name
        Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000000.287520162.000000000041C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameGRUDGEFULUNNOT.exe vs Hong Tak Engineering SB Payment Receipt 241121_PDF.exe
        Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exeBinary or memory string: OriginalFilenameGRUDGEFULUNNOT.exe vs Hong Tak Engineering SB Payment Receipt 241121_PDF.exe
        Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_007588631_2_00758863
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_007578241_2_00757824
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075D82A1_2_0075D82A
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075FDCF1_2_0075FDCF
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075B5A01_2_0075B5A0
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075D8631_2_0075D863
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075F0631_2_0075F063
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075E0531_2_0075E053
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075F0321_2_0075F032
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_007568201_2_00756820
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075D82C1_2_0075D82C
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075481B1_2_0075481B
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_007600F01_2_007600F0
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_007508F91_2_007508F9
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_007570DE1_2_007570DE
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_007548C31_2_007548C3
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075D8CC1_2_0075D8CC
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_007600C81_2_007600C8
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075D8BF1_2_0075D8BF
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_007570931_2_00757093
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_007600831_2_00760083
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075E0881_2_0075E088
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075E1701_2_0075E170
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_007549671_2_00754967
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0076016B1_2_0076016B
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075495D1_2_0075495D
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_007509431_2_00750943
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_007601321_2_00760132
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_007549331_2_00754933
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075D9031_2_0075D903
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075E10E1_2_0075E10E
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_007541F71_2_007541F7
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_007511F31_2_007511F3
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075E1FF1_2_0075E1FF
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_007541C01_2_007541C0
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_007601CF1_2_007601CF
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_007511B11_2_007511B1
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075E1BB1_2_0075E1BB
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_007601951_2_00760195
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075498F1_2_0075498F
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_007512721_2_00751272
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075EA421_2_0075EA42
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_007602331_2_00760233
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075E22E1_2_0075E22E
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075EA2B1_2_0075EA2B
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075E2BE1_2_0075E2BE
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075EABB1_2_0075EABB
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075E2871_2_0075E287
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075E3691_2_0075E369
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075F3421_2_0075F342
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075E3331_2_0075E333
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075EB031_2_0075EB03
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075EBE31_2_0075EBE3
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075F3EF1_2_0075F3EF
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075E3D21_2_0075E3D2
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075EBB31_2_0075EBB3
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075F3A91_2_0075F3A9
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075EC421_2_0075EC42
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075E4281_2_0075E428
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075EC0F1_2_0075EC0F
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075ECD31_2_0075ECD3
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075EC931_2_0075EC93
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075B48A1_2_0075B48A
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075ED731_2_0075ED73
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075855D1_2_0075855D
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075FDE71_2_0075FDE7
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075EDB81_2_0075EDB8
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075B5AB1_2_0075B5AB
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075ED8A1_2_0075ED8A
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_00751E671_2_00751E67
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_00751E5C1_2_00751E5C
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075EE441_2_0075EE44
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075FE491_2_0075FE49
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075FE141_2_0075FE14
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075FEB31_2_0075FEB3
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_00757EA01_2_00757EA0
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075EEAF1_2_0075EEAF
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075DF761_2_0075DF76
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075FF671_2_0075FF67
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075D76D1_2_0075D76D
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075EF531_2_0075EF53
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075DF441_2_0075DF44
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_00756F341_2_00756F34
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075DF391_2_0075DF39
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075EF131_2_0075EF13
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075FF0F1_2_0075FF0F
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_00756F0E1_2_00756F0E
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_00756FF31_2_00756FF3
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_007547EF1_2_007547EF
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075DFD01_2_0075DFD0
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_007567C61_2_007567C6
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075DFA41_2_0075DFA4
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_007567AF1_2_007567AF
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075FF941_2_0075FF94
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075EF931_2_0075EF93
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_0056D82A6_2_0056D82A
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_0056FDCF6_2_0056FDCF
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_0056B5A06_2_0056B5A0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_0056481B6_2_0056481B
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_0056F0326_2_0056F032
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_005678246_2_00567824
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_005668206_2_00566820
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_005670DE6_2_005670DE
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_005648C36_2_005648C3
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_005608F96_2_005608F9
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_005670936_2_00567093
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_0056B48A6_2_0056B48A
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_005685566_2_00568556
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_0056495D6_2_0056495D
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_005609436_2_00560943
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_005649676_2_00564967
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_005649336_2_00564933
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_005641C06_2_005641C0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_005641F76_2_005641F7
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_005611F36_2_005611F3
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_0056498F6_2_0056498F
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_005611B16_2_005611B1
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_0056B5AB6_2_0056B5AB
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_00561E5C6_2_00561E5C
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_005612726_2_00561272
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_00561E676_2_00561E67
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_0056EA2B6_2_0056EA2B
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_0056D76D6_2_0056D76D
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_00566F0E6_2_00566F0E
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_00566F346_2_00566F34
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_005667C66_2_005667C6
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_00566FF36_2_00566FF3
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_005647EF6_2_005647EF
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_005667AF6_2_005667AF
        Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exeStatic PE information: invalid certificate
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_00758863 NtWriteVirtualMemory,Sleep,1_2_00758863
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075D82A NtAllocateVirtualMemory,1_2_0075D82A
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075F8E2 NtProtectVirtualMemory,1_2_0075F8E2
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075F872 NtProtectVirtualMemory,1_2_0075F872
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075887B NtWriteVirtualMemory,1_2_0075887B
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075D863 NtAllocateVirtualMemory,1_2_0075D863
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075D82C NtAllocateVirtualMemory,1_2_0075D82C
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075D8CC NtAllocateVirtualMemory,1_2_0075D8CC
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075D8BF NtAllocateVirtualMemory,1_2_0075D8BF
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075F8A8 NtProtectVirtualMemory,1_2_0075F8A8
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075896B NtWriteVirtualMemory,1_2_0075896B
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075D93B NtAllocateVirtualMemory,1_2_0075D93B
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075D903 NtAllocateVirtualMemory,1_2_0075D903
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075D9E5 NtAllocateVirtualMemory,1_2_0075D9E5
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075D9B2 NtAllocateVirtualMemory,1_2_0075D9B2
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075D983 NtAllocateVirtualMemory,1_2_0075D983
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075DA6A NtAllocateVirtualMemory,1_2_0075DA6A
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075DA3B NtAllocateVirtualMemory,1_2_0075DA3B
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075DAD3 NtAllocateVirtualMemory,1_2_0075DAD3
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075DAA6 NtAllocateVirtualMemory,1_2_0075DAA6
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075DB76 NtAllocateVirtualMemory,1_2_0075DB76
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075DB38 NtAllocateVirtualMemory,1_2_0075DB38
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075DB00 NtAllocateVirtualMemory,1_2_0075DB00
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075DBC7 NtAllocateVirtualMemory,1_2_0075DBC7
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075DC13 NtAllocateVirtualMemory,1_2_0075DC13
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_0056F872 NtProtectVirtualMemory,6_2_0056F872
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_0056D82A NtAllocateVirtualMemory,6_2_0056D82A
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess Stats: CPU usage > 98%
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeProcess Stats: CPU usage > 98%
        Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exeVirustotal: Detection: 39%
        Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exeReversingLabs: Detection: 27%
        Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe"
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe"
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe"
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe" Jump to behavior
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe" Jump to behavior
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeFile created: C:\Users\user\AppData\Local\Temp\~DFEBA196672956C021.TMPJump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winEXE@5/1@0/0

        Data Obfuscation:

        barindex
        Yara detected GuLoaderShow sources
        Source: Yara matchFile source: 00000001.00000002.520378272.0000000000750000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000000.377067642.0000000000560000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.564225292.0000000000560000.00000040.00000001.sdmp, type: MEMORY
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_00407484 push 1002C579h; iretd 1_2_00407491
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_00404764 push esi; ret 1_2_0040488D
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075116B pushfd ; iretd 1_2_0075116C
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_00755A4B pushad ; retf 1_2_00755A4E
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075037F push ds; ret 1_2_00750516
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_007503BB push ds; ret 1_2_00750516
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_00750383 push ds; ret 1_2_00750516
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075046F push ds; ret 1_2_00750516
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075043F push ds; ret 1_2_00750516
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_00750403 push ds; ret 1_2_00750516
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_007504EC push ds; ret 1_2_00750516
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_00750CD1 push ds; ret 1_2_00750D73
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_00750CD3 push ds; ret 1_2_00750D73
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_007504A7 push ds; ret 1_2_00750516
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_007595F5 push es; iretd 1_2_00759615
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_00759605 push es; iretd 1_2_00759615
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075A7FF push cs; iretd 1_2_0075A806
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_0056046F push ds; ret 6_2_00560516
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_00560403 push ds; ret 6_2_00560516
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_0056043F push ds; ret 6_2_00560516
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_00560CD3 push ds; ret 6_2_00560D73
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_00560CD1 push ds; ret 6_2_00560D73
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_005604EC push ds; ret 6_2_00560516
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_005604A7 push ds; ret 6_2_00560516
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_0056116B pushfd ; iretd 6_2_0056116C
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_005695F5 push es; iretd 6_2_00569615
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_00565A4B pushad ; retf 6_2_00565A4E
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_00569605 push es; iretd 6_2_00569615
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_0056037F push ds; ret 6_2_00560516
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_0056A7FF push cs; iretd 6_2_0056A806
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_00560383 push ds; ret 6_2_00560516
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeFile created: \hong tak engineering sb payment receipt 241121_pdf.exe
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeFile created: \hong tak engineering sb payment receipt 241121_pdf.exe
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeFile created: \hong tak engineering sb payment receipt 241121_pdf.exeJump to behavior
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeFile created: \hong tak engineering sb payment receipt 241121_pdf.exeJump to behavior
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Tries to detect Any.runShow sources
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: ieinstal.exe, 00000006.00000002.564386334.0000000000D70000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WIN64; X64) APPLEWEBKIT/537.36 (KHTML, LIKE GECKO) CHROME/91.0.4472.124 SAFARI/537.36SHELL32ADVAPI32TEMP=
        Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.520996387.00000000030E0000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WIN64; X64) APPLEWEBKIT/537.36 (KHTML, LIKE GECKO) CHROME/91.0.4472.124 SAFARI/537.36SHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLLPROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLL
        Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.520996387.00000000030E0000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.564386334.0000000000D70000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_00754123 rdtsc 1_2_00754123
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeSystem information queried: ModuleInformationJump to behavior
        Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.521048300.00000000031AA000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.564969808.000000000435A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
        Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.521048300.00000000031AA000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.564969808.000000000435A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
        Source: ieinstal.exe, 00000006.00000002.564969808.000000000435A000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
        Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.521048300.00000000031AA000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.564969808.000000000435A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
        Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.521048300.00000000031AA000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.564969808.000000000435A000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
        Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.521048300.00000000031AA000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.564969808.000000000435A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
        Source: ieinstal.exe, 00000006.00000002.564386334.0000000000D70000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36shell32advapi32TEMP=
        Source: ieinstal.exe, 00000006.00000002.564969808.000000000435A000.00000004.00000001.sdmpBinary or memory string: vmicvss
        Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.520996387.00000000030E0000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.564386334.0000000000D70000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.521048300.00000000031AA000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.564969808.000000000435A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
        Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.521048300.00000000031AA000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.564969808.000000000435A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
        Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.521048300.00000000031AA000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.564969808.000000000435A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
        Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.520996387.00000000030E0000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36shell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dllProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dll
        Source: ieinstal.exe, 00000006.00000002.564969808.000000000435A000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat

        Anti Debugging:

        barindex
        Hides threads from debuggersShow sources
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeThread information set: HideFromDebuggerJump to behavior
        Found potential dummy code loops (likely to delay analysis)Show sources
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess Stats: CPU usage > 90% for more than 60s
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_00759889 mov eax, dword ptr fs:[00000030h]1_2_00759889
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075D108 mov eax, dword ptr fs:[00000030h]1_2_0075D108
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075EA42 mov eax, dword ptr fs:[00000030h]1_2_0075EA42
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075EA2B mov eax, dword ptr fs:[00000030h]1_2_0075EA2B
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075C345 mov eax, dword ptr fs:[00000030h]1_2_0075C345
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_00569889 mov eax, dword ptr fs:[00000030h]6_2_00569889
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_0056D108 mov eax, dword ptr fs:[00000030h]6_2_0056D108
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_0056EA2B mov eax, dword ptr fs:[00000030h]6_2_0056EA2B
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_0056C345 mov eax, dword ptr fs:[00000030h]6_2_0056C345
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_00754123 rdtsc 1_2_00754123
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 1_2_0075AD16 LdrInitializeThunk,1_2_0075AD16
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 6_2_0056FDCF RtlAddVectoredExceptionHandler,6_2_0056FDCF

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Writes to foreign memory regionsShow sources
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 560000Jump to behavior
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe" Jump to behavior
        Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe" Jump to behavior
        Source: ieinstal.exe, 00000006.00000002.564837081.0000000002F00000.00000002.00020000.sdmpBinary or memory string: Program Manager
        Source: ieinstal.exe, 00000006.00000002.564837081.0000000002F00000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
        Source: ieinstal.exe, 00000006.00000002.564837081.0000000002F00000.00000002.00020000.sdmpBinary or memory string: Progman
        Source: ieinstal.exe, 00000006.00000002.564837081.0000000002F00000.00000002.00020000.sdmpBinary or memory string: Progmanlock

        Stealing of Sensitive Information:

        barindex
        GuLoader behavior detectedShow sources
        Source: Initial fileSignature Results: GuLoader behavior

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection112Virtualization/Sandbox Evasion31Input Capture1Security Software Discovery411Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection112LSASS MemoryVirtualization/Sandbox Evasion31Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.