Play interactive tour

Edit tour

Windows Analysis Report Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Overview

General Information

Sample Name:	Hong Tak Engineering SB Payment Receipt 241121_PDF.exe
Analysis ID:	528205
MD5:	b2e24bc0f1f55f2ac9d8034098dfe32f
SHA1:	4a20778acf6d512792077dc339f23acfbdf22875
SHA256:	d5ace58c68d1ff767b284deb172b5ce0550e96023a509a171fa7b34f0929b8e0
Tags:	exesigned
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

GuLoader behavior detected

Yara detected GuLoader

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

Tries to detect Any.run

Executable has a suspicious name (potential lure to open the executable)

C2 URLs / IPs found in malware configuration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Found potential dummy code loops (likely to delay analysis)

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

PE / OLE file has an invalid certificate

Contains functionality to call native functions

Creates processes with suspicious names

Program does not show much activity (idle)

Creates a process in suspended mode (likely to inject code)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

Hong Tak Engineering SB Payment Receipt 241121_PDF.exe (PID: 6132 cmdline: "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe" MD5: B2E24BC0F1F55F2AC9D8034098DFE32F)

ieinstal.exe (PID: 6676 cmdline: "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe" MD5: DAD17AB737E680C47C8A44CBB95EE67E)

ieinstal.exe (PID: 672 cmdline: "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe" MD5: DAD17AB737E680C47C8A44CBB95EE67E)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://onedrive.live.com/download?cid=7FA6B3"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.520378272.0000000000750000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000006.00000000.377067642.0000000000560000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000006.00000002.564225292.0000000000560000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000006.00000000.377067642.0000000000560000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?cid=7FA6B3"}

Multi AV Scanner detection for submitted file

Show sources

Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Virustotal: Detection: 39%			Perma Link
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	ReversingLabs: Detection: 27%

Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://onedrive.live.com/download?cid=7FA6B3

Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.520449768.00000000007AA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample	Static PE information: Filename: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe
Source: initial sample	Static PE information: Filename: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Static file information: Suspicious name

Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000000.287520162.000000000041C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameGRUDGEFULUNNOT.exe vs Hong Tak Engineering SB Payment Receipt 241121_PDF.exe
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Binary or memory string: OriginalFilenameGRUDGEFULUNNOT.exe vs Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_00758863
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_00757824
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075D82A
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075FDCF
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075B5A0
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075D863
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075F063
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075E053
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075F032
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_00756820
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075D82C
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075481B
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_007600F0
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_007508F9
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_007570DE
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_007548C3
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075D8CC
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_007600C8
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075D8BF
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_00757093
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_00760083
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075E088
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075E170
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_00754967
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0076016B
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075495D
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_00750943
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_00760132
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_00754933
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075D903
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075E10E
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_007541F7
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_007511F3
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075E1FF
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_007541C0
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_007601CF
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_007511B1
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075E1BB
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_00760195
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075498F
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_00751272
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075EA42
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_00760233
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075E22E
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075EA2B
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075E2BE
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075EABB
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075E287
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075E369
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075F342
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075E333
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075EB03
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075EBE3
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075F3EF
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075E3D2
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075EBB3
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075F3A9
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075EC42
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075E428
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075EC0F
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075ECD3
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075EC93
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075B48A
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075ED73
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075855D
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075FDE7
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075EDB8
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075B5AB
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075ED8A
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_00751E67
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_00751E5C
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075EE44
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075FE49
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075FE14
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075FEB3
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_00757EA0
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075EEAF
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075DF76
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075FF67
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075D76D
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075EF53
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075DF44
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_00756F34
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075DF39
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075EF13
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075FF0F
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_00756F0E
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_00756FF3
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_007547EF
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075DFD0
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_007567C6
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075DFA4
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_007567AF
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075FF94
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075EF93
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0056D82A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0056FDCF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0056B5A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0056481B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0056F032
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00567824
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00566820
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_005670DE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_005648C3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_005608F9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00567093
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0056B48A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00568556
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0056495D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00560943
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00564967
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00564933
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_005641C0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_005641F7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_005611F3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0056498F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_005611B1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0056B5AB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00561E5C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00561272
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00561E67
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0056EA2B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0056D76D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00566F0E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00566F34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_005667C6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00566FF3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_005647EF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_005667AF

Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Static PE information: invalid certificate

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_00758863 NtWriteVirtualMemory,Sleep,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075D82A NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075F8E2 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075F872 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075887B NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075D863 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075D82C NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075D8CC NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075D8BF NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075F8A8 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075896B NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075D93B NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075D903 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075D9E5 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075D9B2 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075D983 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075DA6A NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075DA3B NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075DAD3 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075DAA6 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075DB76 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075DB38 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075DB00 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075DBC7 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075DC13 NtAllocateVirtualMemory,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0056F872 NtProtectVirtualMemory,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0056D82A NtAllocateVirtualMemory,

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process Stats: CPU usage > 98%
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Process Stats: CPU usage > 98%

Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Virustotal: Detection: 39%
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	ReversingLabs: Detection: 27%

Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: unknown	Process created: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe"
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe"
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe"
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe"
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe"

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

File created: C:\Users\user\AppData\Local\Temp\~DFEBA196672956C021.TMP

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@5/1@0/0

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000001.00000002.520378272.0000000000750000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.377067642.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.564225292.0000000000560000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_00407484 push 1002C579h; iretd
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_00404764 push esi; ret
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075116B pushfd ; iretd
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_00755A4B pushad ; retf
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075037F push ds; ret
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_007503BB push ds; ret
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_00750383 push ds; ret
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075046F push ds; ret
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075043F push ds; ret
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_00750403 push ds; ret
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_007504EC push ds; ret
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_00750CD1 push ds; ret
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_00750CD3 push ds; ret
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_007504A7 push ds; ret
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_007595F5 push es; iretd
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_00759605 push es; iretd
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075A7FF push cs; iretd
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0056046F push ds; ret
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00560403 push ds; ret
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0056043F push ds; ret
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00560CD3 push ds; ret
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00560CD1 push ds; ret
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_005604EC push ds; ret
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_005604A7 push ds; ret
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0056116B pushfd ; iretd
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_005695F5 push es; iretd
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00565A4B pushad ; retf
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00569605 push es; iretd
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0056037F push ds; ret
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0056A7FF push cs; iretd
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00560383 push ds; ret

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	File created: \hong tak engineering sb payment receipt 241121_pdf.exe
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	File created: \hong tak engineering sb payment receipt 241121_pdf.exe
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	File created: \hong tak engineering sb payment receipt 241121_pdf.exe
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	File created: \hong tak engineering sb payment receipt 241121_pdf.exe

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: ieinstal.exe, 00000006.00000002.564386334.0000000000D70000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WIN64; X64) APPLEWEBKIT/537.36 (KHTML, LIKE GECKO) CHROME/91.0.4472.124 SAFARI/537.36SHELL32ADVAPI32TEMP=
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.520996387.00000000030E0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WIN64; X64) APPLEWEBKIT/537.36 (KHTML, LIKE GECKO) CHROME/91.0.4472.124 SAFARI/537.36SHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLLPROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLL
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.520996387.00000000030E0000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.564386334.0000000000D70000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Code function: 1_2_00754123 rdtsc

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

System information queried: ModuleInformation

Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.521048300.00000000031AA000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.564969808.000000000435A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.521048300.00000000031AA000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.564969808.000000000435A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: ieinstal.exe, 00000006.00000002.564969808.000000000435A000.00000004.00000001.sdmp	Binary or memory string: vmicshutdown
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.521048300.00000000031AA000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.564969808.000000000435A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.521048300.00000000031AA000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.564969808.000000000435A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.521048300.00000000031AA000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.564969808.000000000435A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: ieinstal.exe, 00000006.00000002.564386334.0000000000D70000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36shell32advapi32TEMP=
Source: ieinstal.exe, 00000006.00000002.564969808.000000000435A000.00000004.00000001.sdmp	Binary or memory string: vmicvss
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.520996387.00000000030E0000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.564386334.0000000000D70000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.521048300.00000000031AA000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.564969808.000000000435A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.521048300.00000000031AA000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.564969808.000000000435A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.521048300.00000000031AA000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.564969808.000000000435A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000001.00000002.520996387.00000000030E0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36shell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dllProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dll
Source: ieinstal.exe, 00000006.00000002.564969808.000000000435A000.00000004.00000001.sdmp	Binary or memory string: vmicheartbeat

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Thread information set: HideFromDebugger

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_00759889 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075D108 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075EA42 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075EA2B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 1_2_0075C345 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00569889 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0056D108 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0056EA2B mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0056C345 mov eax, dword ptr fs:[00000030h]

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Code function: 1_2_00754123 rdtsc

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Code function: 1_2_0075AD16 LdrInitializeThunk,

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Code function: 6_2_0056FDCF RtlAddVectoredExceptionHandler,

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 560000

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe"
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe"

Source: ieinstal.exe, 00000006.00000002.564837081.0000000002F00000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: ieinstal.exe, 00000006.00000002.564837081.0000000002F00000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: ieinstal.exe, 00000006.00000002.564837081.0000000002F00000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: ieinstal.exe, 00000006.00000002.564837081.0000000002F00000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Stealing of Sensitive Information:

GuLoader behavior detected

Show sources

Source: Initial file

Signature Results: GuLoader behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection112	Virtualization/Sandbox Evasion31	Input Capture1	Security Software Discovery411	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection112	LSASS Memory	Virtualization/Sandbox Evasion31	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	40%	Virustotal		Browse
Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	27%	ReversingLabs	Win32.Downloader.GuLoader

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://onedrive.live.com/download?cid=7FA6B3	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	528205
Start date:	24.11.2021
Start time:	21:02:08
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 52s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Hong Tak Engineering SB Payment Receipt 241121_PDF.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@5/1@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 13.3% (good quality ratio 5.8%) Quality average: 28.9% Quality standard deviation: 36.3%
HCA Information:	Successful, ratio: 80% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\~DFEBA196672956C021.TMP Download File
Process:	C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	1.3863194741075688
Encrypted:	false
SSDEEP:	96:GaabmG8CL3uSTdfPBeQaabmG8CL3uSTdf:i93jJBeU93j
MD5:	B3A27F74C52AC98DDE14EA7A804ECFD6
SHA1:	5F6D3F7644E0973D8A059AC228042EA60C507836
SHA-256:	F6C6736ACA8B6A743732E216DBB62B59B65DCBB0B6308B2B28D67706ABBC7F0C
SHA-512:	F7129070C7133C63C57BE7724B322B2A8F3FB6624F35B7A4E730DECD418E488CBF53292E845255DEDCFBA1502A0332D7DB17EF29D0E2A2A4DD345F87EECB36BE
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.999498053134024
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Hong Tak Engineering SB Payment Receipt 241121_PDF.exe
File size:	128816
MD5:	b2e24bc0f1f55f2ac9d8034098dfe32f
SHA1:	4a20778acf6d512792077dc339f23acfbdf22875
SHA256:	d5ace58c68d1ff767b284deb172b5ce0550e96023a509a171fa7b34f0929b8e0
SHA512:	01dbc321743acf74ef5557f9429d26aa5892b196c695a5e4ed0342d626c4e98a650d01729975d20812653edaf5295fdc7484a43949738d9de5effdb1dcb7b896
SSDEEP:	1536:I+3sCKWgen7J84YCrMYpNxXeBwodguvRZkVT7yaBOJzFHKAgYX5:I1PX0JLHrJNvoPvoVT58JzFh5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........u...&...&...&T..&...&...&...&...&...&Rich...&................PE..L......V.....................`...... .............@........

File Icon


Icon Hash:	42b97ce4f0e1f2e4

Static PE Info

General
Entrypoint:	0x401320
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x56BC1AFE [Thu Feb 11 05:24:14 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	995d60149de3040b4890e5871343f4eb

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=dykkerklokkeado@LOKALITET.Sk, CN=godkendelsesmil, OU=Iroquoianspri1, O=Klarissenobie, L=KEDECHRYSLEROVEREF, S=AFSPADSERING, C=SC
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	11/23/2021 8:20:15 PM 11/23/2022 8:20:15 PM
Subject Chain	E=dykkerklokkeado@LOKALITET.Sk, CN=godkendelsesmil, OU=Iroquoianspri1, O=Klarissenobie, L=KEDECHRYSLEROVEREF, S=AFSPADSERING, C=SC
Version:	3
Thumbprint MD5:	8ACCDE5BD3D9438F5ED6CE6C1979787E
Thumbprint SHA-1:	E6BE6E4C60B6588F4C337C033C6165C6914F3249
Thumbprint SHA-256:	A2E6DA055CC6C343D9251796595BC0A1882C21EC31DBD14C72A656EC419A4096
Serial:	00

Entrypoint Preview

Instruction
push 0040284Ch
call 00007F0EE0E8A123h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi-71919BE2h], al
inc esi
mov byte ptr [ecx-66h], cl
popfd
std
iretd
adc dword ptr [ebp+00003112h], eax
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
inc eax
add bh, byte ptr [eax]
or byte ptr [ecx+00h], al
inc esp
outsd
jnbe 00007F0EE0E8A1A0h
imul esp, dword ptr [ebp+73h], 6E6F6B74h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
add esp, ebx
mov byte ptr [DB0681D6h], al
mov eax, dword ptr [DCCA9944h]
clc
mov dword ptr [128312C7h], eax
sub eax, 4704A48Fh
scasd
dec ebp
test al, E0h
inc esi
xor eax, ecx
scasd
call 00007F0E8E37DBD1h
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
stosb
push cs
add byte ptr [eax], al
mov dword ptr [esi], ecx
add byte ptr [eax], al
add byte ptr [eax+eax], cl
push ebx
jne 00007F0EE0E8A1A0h
jbe 00007F0EE0E8A199h
jc 00007F0EE0E8A19Dh
xor dword ptr [eax], eax
or eax, 42000701h
popad

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x19264	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1c000	0x373c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1f000	0x730	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x230	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x118	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x18728	0x19000	False	0.47935546875	data	6.37312654175	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x1a000	0x1a94	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x1c000	0x373c	0x4000	False	0.217163085938	data	3.71594095347	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
SET	0x1d296	0x24a6	MS Windows icon resource - 3 icons, 24x24, 16 colors, 4 bits/pixel, 24x24, 8 bits/pixel	English	United States
RT_ICON	0x1c9ee	0x8a8	data
RT_ICON	0x1c486	0x568	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x1c464	0x22	data
RT_VERSION	0x1c170	0x2f4	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFPFix, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaObjVar, DllFunctionCall, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, __vbaR8Str, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaStrToAnsi, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaR8IntI4, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0404 0x04b0
LegalCopyright	Clamore
InternalName	GRUDGEFULUNNOT
FileVersion	1.00
CompanyName	Clamore
LegalTrademarks	Clamore
Comments	Clamore
ProductName	Clamore
ProductVersion	1.00
FileDescription	Clamore
OriginalFilename	GRUDGEFULUNNOT.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Chinese	Taiwan

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe PID: 6132 Parent PID: 5256

General

Start time:	21:03:03
Start date:	24/11/2021
Path:	C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe"
Imagebase:	0x400000
File size:	128816 bytes
MD5 hash:	B2E24BC0F1F55F2AC9D8034098DFE32F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.520378272.0000000000750000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: ieinstal.exe PID: 6676 Parent PID: 6132

General

Start time:	21:03:44
Start date:	24/11/2021
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe"
Imagebase:	0xe80000
File size:	480256 bytes
MD5 hash:	DAD17AB737E680C47C8A44CBB95EE67E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: ieinstal.exe PID: 672 Parent PID: 6132

General

Start time:	21:03:45
Start date:	24/11/2021
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe"
Imagebase:	0xe80000
File size:	480256 bytes
MD5 hash:	DAD17AB737E680C47C8A44CBB95EE67E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000000.377067642.0000000000560000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.564225292.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe PID: 6132 Parent PID: 5256

General

Analysis Process: ieinstal.exe PID: 6676 Parent PID: 6132

General

Analysis Process: ieinstal.exe PID: 672 Parent PID: 6132

General