Windows Analysis Report Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Overview

General Information

Sample Name: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe
Analysis ID: 528205
MD5: b2e24bc0f1f55f2ac9d8034098dfe32f
SHA1: 4a20778acf6d512792077dc339f23acfbdf22875
SHA256: d5ace58c68d1ff767b284deb172b5ce0550e96023a509a171fa7b34f0929b8e0
Infos:

Most interesting Screenshot:

Detection

GuLoader Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Multi AV Scanner detection for dropped file
Yara detected GuLoader
Hides threads from debuggers
Installs a global keyboard hook
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Uses dynamic DNS services
Uses 32bit PE files
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Sleep loop found (likely to delay execution)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to call native functions
Creates processes with suspicious names
Contains functionality for execution timing, often used to detect debuggers
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000003.00000002.1038188324.00000000022D0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?cid=7FA6B3"}
Multi AV Scanner detection for submitted file
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Virustotal: Detection: 39% Perma Link
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe ReversingLabs: Detection: 27%
Yara detected Remcos RAT
Source: Yara match File source: 0000000F.00000002.5679272163.000000000302B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ieinstal.exe PID: 5020, type: MEMORYSTR
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Agerhnsjagtfi\Countysygej.exe Virustotal: Detection: 39% Perma Link
Source: C:\Users\user\AppData\Local\Temp\Agerhnsjagtfi\Countysygej.exe ReversingLabs: Detection: 27%

Compliance:

barindex
Uses 32bit PE files
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://onedrive.live.com/download?cid=7FA6B3
Uses dynamic DNS services
Source: unknown DNS query: name: olufem.ddns.net
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TMNET-AS-APTMNetInternetServiceProviderMY TMNET-AS-APTMNetInternetServiceProviderMY
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.11.20:49768 -> 124.82.81.98:6111
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: ieinstal.exe, 0000000F.00000003.951398551.0000000002FD8000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5677573236.0000000002FD8000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: ieinstal.exe, 0000000F.00000003.951398551.0000000002FD8000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5677573236.0000000002FD8000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ieinstal.exe, 0000000F.00000003.951398551.0000000002FD8000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5677573236.0000000002FD8000.00000004.00000020.sdmp String found in binary or memory: https://7ybh4q.bn.files.1drv.com/
Source: ieinstal.exe, 0000000F.00000003.951398551.0000000002FD8000.00000004.00000001.sdmp String found in binary or memory: https://7ybh4q.bn.files.1drv.com/D
Source: ieinstal.exe, 0000000F.00000002.5677573236.0000000002FD8000.00000004.00000020.sdmp String found in binary or memory: https://7ybh4q.bn.files.1drv.com/f
Source: ieinstal.exe, 0000000F.00000003.951398551.0000000002FD8000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5677573236.0000000002FD8000.00000004.00000020.sdmp, ieinstal.exe, 0000000F.00000003.951864678.0000000003030000.00000004.00000001.sdmp String found in binary or memory: https://7ybh4q.bn.files.1drv.com/y4mrYMhoGbjFe4lMap9L9LeL2yBCYdzRMAuRmtg6XK6YTbK2Pi7yHWQHU8EnZiLbINN
Source: ieinstal.exe, 0000000F.00000002.5674818296.0000000002F58000.00000004.00000020.sdmp String found in binary or memory: https://onedrive.live.com/
Source: ieinstal.exe, 0000000F.00000002.5674818296.0000000002F58000.00000004.00000020.sdmp String found in binary or memory: https://onedrive.live.com/E
Source: ieinstal.exe, 0000000F.00000002.5681941208.0000000004970000.00000004.00000001.sdmp String found in binary or memory: https://onedrive.live.com/download?cid=7FA6B3539DFD0E74&resid=7FA6B3539DFD0E74%211122&authkey=AFlmPX
Source: unknown DNS traffic detected: queries for: onedrive.live.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a global keyboard hook
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Windows user hook set: 0 keyboard low level C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior

E-Banking Fraud:

barindex
Yara detected Remcos RAT
Source: Yara match File source: 0000000F.00000002.5679272163.000000000302B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ieinstal.exe PID: 5020, type: MEMORYSTR

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe
Source: initial sample Static PE information: Filename: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe
Executable has a suspicious name (potential lure to open the executable)
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Static file information: Suspicious name
Uses 32bit PE files
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Detected potential crypto function
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DD82A 3_2_022DD82A
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D8863 3_2_022D8863
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DB5A0 3_2_022DB5A0
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DFDCF 3_2_022DFDCF
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DEA2B 3_2_022DEA2B
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D1E67 3_2_022D1E67
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D1272 3_2_022D1272
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D1E5C 3_2_022D1E5C
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DDF39 3_2_022DDF39
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D6F34 3_2_022D6F34
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D6F0E 3_2_022D6F0E
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DD76D 3_2_022DD76D
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DDF76 3_2_022DDF76
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DDF44 3_2_022DDF44
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D67AF 3_2_022D67AF
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DDFA4 3_2_022DDFA4
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D47EF 3_2_022D47EF
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D6FF3 3_2_022D6FF3
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D67C6 3_2_022D67C6
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DD82C 3_2_022DD82C
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D7824 3_2_022D7824
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D6820 3_2_022D6820
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DF032 3_2_022DF032
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D481B 3_2_022D481B
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DD863 3_2_022DD863
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DD8BF 3_2_022DD8BF
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DB48A 3_2_022DB48A
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D7093 3_2_022D7093
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D08F9 3_2_022D08F9
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DD8CC 3_2_022DD8CC
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D48C3 3_2_022D48C3
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D70DE 3_2_022D70DE
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D4933 3_2_022D4933
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DD903 3_2_022DD903
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D4967 3_2_022D4967
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D0943 3_2_022D0943
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D495D 3_2_022D495D
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D8556 3_2_022D8556
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DB5AB 3_2_022DB5AB
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D11B1 3_2_022D11B1
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D498F 3_2_022D498F
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D41F7 3_2_022D41F7
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D11F3 3_2_022D11F3
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D41C0 3_2_022D41C0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_02CF0710 15_2_02CF0710
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DD82A NtAllocateVirtualMemory, 3_2_022DD82A
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D8863 NtWriteVirtualMemory, 3_2_022D8863
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DF872 NtProtectVirtualMemory, 3_2_022DF872
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DDA3B NtAllocateVirtualMemory, 3_2_022DDA3B
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DDA6A NtAllocateVirtualMemory, 3_2_022DDA6A
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DDAA6 NtAllocateVirtualMemory, 3_2_022DDAA6
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DDAD3 NtAllocateVirtualMemory, 3_2_022DDAD3
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DDB38 NtAllocateVirtualMemory, 3_2_022DDB38
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DDB00 NtAllocateVirtualMemory, 3_2_022DDB00
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DDB76 NtAllocateVirtualMemory, 3_2_022DDB76
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DDBC7 NtAllocateVirtualMemory, 3_2_022DDBC7
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DD82C NtAllocateVirtualMemory, 3_2_022DD82C
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DDC13 NtAllocateVirtualMemory, 3_2_022DDC13
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DD863 NtAllocateVirtualMemory, 3_2_022DD863
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D887B NtWriteVirtualMemory, 3_2_022D887B
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DD8BF NtAllocateVirtualMemory, 3_2_022DD8BF
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DD8CC NtAllocateVirtualMemory, 3_2_022DD8CC
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DD93B NtAllocateVirtualMemory, 3_2_022DD93B
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DD903 NtAllocateVirtualMemory, 3_2_022DD903
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D896B NtWriteVirtualMemory, 3_2_022D896B
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DD9B2 NtAllocateVirtualMemory, 3_2_022DD9B2
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DD983 NtAllocateVirtualMemory, 3_2_022DD983
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DD9E5 NtAllocateVirtualMemory, 3_2_022DD9E5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_02CF0B83 Sleep,NtProtectVirtualMemory, 15_2_02CF0B83
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_02CF0C78 NtProtectVirtualMemory, 15_2_02CF0C78
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_02CF0CC8 NtProtectVirtualMemory, 15_2_02CF0CC8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_02CF0C47 NtProtectVirtualMemory, 15_2_02CF0C47
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_02CF0BD8 NtProtectVirtualMemory, 15_2_02CF0BD8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_02CF0D17 NtProtectVirtualMemory, 15_2_02CF0D17
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_02CF0C7F NtProtectVirtualMemory, 15_2_02CF0C7F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_02CF0C77 NtProtectVirtualMemory, 15_2_02CF0C77
Sample file is different than original file name gathered from version info
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000000.602674209.000000000041C000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameGRUDGEFULUNNOT.exe vs Hong Tak Engineering SB Payment Receipt 241121_PDF.exe
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Binary or memory string: OriginalFilenameGRUDGEFULUNNOT.exe vs Hong Tak Engineering SB Payment Receipt 241121_PDF.exe
PE file contains strange resources
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Countysygej.exe.15.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Section loaded: edgegdi.dll Jump to behavior
PE / OLE file has an invalid certificate
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Static PE information: invalid certificate
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Virustotal: Detection: 39%
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe ReversingLabs: Detection: 27%
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe"
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe"
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe" Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File created: C:\Users\user\AppData\Roaming\wifitskl Jump to behavior
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe File created: C:\Users\user\AppData\Local\Temp\~DFDA925A6B9EAC6C8F.TMP Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/3@10/1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Mutant created: \Sessions\1\BaseNamedObjects\audiotsk-5IOG84

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000003.00000002.1038188324.00000000022D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.759017370.0000000002CE0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_00407484 push 1002C579h; iretd 3_2_00407491
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_00404764 push esi; ret 3_2_0040488D
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D9605 push es; iretd 3_2_022D9615
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D5A4B pushad ; retf 3_2_022D5A4E
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D037F push ds; ret 3_2_022D0516
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D03BB push ds; ret 3_2_022D0516
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D0383 push ds; ret 3_2_022D0516
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DA7FF push cs; iretd 3_2_022DA806
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D043F push ds; ret 3_2_022D0516
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D0403 push ds; ret 3_2_022D0516
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D046F push ds; ret 3_2_022D0516
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D04A7 push ds; ret 3_2_022D0516
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D04EC push ds; ret 3_2_022D0516
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D0CD1 push ds; ret 3_2_022D0D73
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D0CD3 push ds; ret 3_2_022D0D73
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D116B pushfd ; iretd 3_2_022D116C
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D95F5 push es; iretd 3_2_022D9615

Persistence and Installation Behavior:

barindex
Creates processes with suspicious names
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe File created: \hong tak engineering sb payment receipt 241121_pdf.exe
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe File created: \hong tak engineering sb payment receipt 241121_pdf.exe Jump to behavior
Drops PE files
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File created: C:\Users\user\AppData\Local\Temp\Agerhnsjagtfi\Countysygej.exe Jump to dropped file
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tanadarforurenings Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tanadarforurenings Jump to behavior
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039492404.0000000002CF0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WIN64; X64) APPLEWEBKIT/537.36 (KHTML, LIKE GECKO) CHROME/91.0.4472.124 SAFARI/537.36SHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLL
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039492404.0000000002CF0000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5681941208.0000000004970000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: ieinstal.exe, 0000000F.00000002.5681941208.0000000004970000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WIN64; X64) APPLEWEBKIT/537.36 (KHTML, LIKE GECKO) CHROME/91.0.4472.124 SAFARI/537.36SHELL32ADVAPI32TEMP=\COUNTYSYGEJ.EXE\AGERHNSJAGTFISOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNTANADARFORURENINGSHTTPS://ONEDRIVE.LIVE.COM/DOWNLOAD?CID=7FA6B3539DFD0E74&RESID=7FA6B3539DFD0E74%211122&AUTHKEY=AFLMPX3MS1VU7IU
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 8196 Thread sleep count: 9176 > 30 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 8196 Thread sleep time: -45880s >= -30000s Jump to behavior
Sleep loop found (likely to delay execution)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread sleep count: Count: 9176 delay: -5 Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D4123 rdtsc 3_2_022D4123
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Window / User API: threadDelayed 9176 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Window / User API: foregroundWindowGot 673 Jump to behavior
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe System information queried: ModuleInformation Jump to behavior
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039593867.0000000003249000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: ieinstal.exe, 0000000F.00000002.5674818296.0000000002F58000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW8
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039593867.0000000003249000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmp Binary or memory string: vmicshutdown
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039593867.0000000003249000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039492404.0000000002CF0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36shell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dll
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039593867.0000000003249000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039593867.0000000003249000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmp Binary or memory string: vmicvss
Source: ieinstal.exe, 0000000F.00000002.5677340949.0000000002FC9000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: ieinstal.exe, 0000000F.00000002.5681941208.0000000004970000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36shell32advapi32TEMP=\Countysygej.exe\AgerhnsjagtfiSoftware\Microsoft\Windows\CurrentVersion\RunTanadarforureningshttps://onedrive.live.com/download?cid=7FA6B3539DFD0E74&resid=7FA6B3539DFD0E74%211122&authkey=AFlmPX3ms1Vu7IU
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039492404.0000000002CF0000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5681941208.0000000004970000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039593867.0000000003249000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039593867.0000000003249000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039593867.0000000003249000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: ieinstal.exe, 0000000F.00000002.5674818296.0000000002F58000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAWVY
Source: ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmp Binary or memory string: vmicheartbeat

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D4123 rdtsc 3_2_022D4123
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DEA2B mov eax, dword ptr fs:[00000030h] 3_2_022DEA2B
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DC345 mov eax, dword ptr fs:[00000030h] 3_2_022DC345
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022D9889 mov eax, dword ptr fs:[00000030h] 3_2_022D9889
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DD108 mov eax, dword ptr fs:[00000030h] 3_2_022DD108
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Code function: 3_2_022DAD16 LdrInitializeThunk, 3_2_022DAD16

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2CE0000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe" Jump to behavior
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp Binary or memory string: Program Managers.net:6111E
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp Binary or memory string: Program Managers.net:6111
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp, ieinstal.exe, 0000000F.00000002.5680749572.0000000003560000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp Binary or memory string: Program ManagerEM t8
Source: ieinstal.exe, 0000000F.00000002.5680749572.0000000003560000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp Binary or memory string: Program Manager1064_03
Source: ieinstal.exe, 0000000F.00000002.5680749572.0000000003560000.00000002.00020000.sdmp Binary or memory string: Progman
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp Binary or memory string: Program ManagerModules.`
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp Binary or memory string: Program ManagerEM
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp Binary or memory string: Program ManagernsoleS5`
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp Binary or memory string: Program Manageroca
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp Binary or memory string: Program Manager\Users\<`
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp Binary or memory string: Program Managers.net:61118
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp Binary or memory string: Program Managerpc
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp Binary or memory string: Program Managers.net:6111U
Source: ieinstal.exe, 0000000F.00000002.5680749572.0000000003560000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp Binary or memory string: Program Managers.net:
Source: ieinstal.exe, 0000000F.00000002.5674818296.0000000002F58000.00000004.00000020.sdmp, logs.dat.15.dr Binary or memory string: [Program Manager]

Stealing of Sensitive Information:

barindex
Yara detected Remcos RAT
Source: Yara match File source: 0000000F.00000002.5679272163.000000000302B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ieinstal.exe PID: 5020, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected Remcos RAT
Source: Yara match File source: 0000000F.00000002.5679272163.000000000302B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ieinstal.exe PID: 5020, type: MEMORYSTR