Loading ...

Play interactive tourEdit tour

Windows Analysis Report Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Overview

General Information

Sample Name:Hong Tak Engineering SB Payment Receipt 241121_PDF.exe
Analysis ID:528205
MD5:b2e24bc0f1f55f2ac9d8034098dfe32f
SHA1:4a20778acf6d512792077dc339f23acfbdf22875
SHA256:d5ace58c68d1ff767b284deb172b5ce0550e96023a509a171fa7b34f0929b8e0
Infos:

Most interesting Screenshot:

Detection

GuLoader Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Multi AV Scanner detection for dropped file
Yara detected GuLoader
Hides threads from debuggers
Installs a global keyboard hook
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Uses dynamic DNS services
Uses 32bit PE files
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Sleep loop found (likely to delay execution)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to call native functions
Creates processes with suspicious names
Contains functionality for execution timing, often used to detect debuggers
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64native
  • Hong Tak Engineering SB Payment Receipt 241121_PDF.exe (PID: 3648 cmdline: "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe" MD5: B2E24BC0F1F55F2AC9D8034098DFE32F)
    • ieinstal.exe (PID: 5020 cmdline: "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe" MD5: 7871873BABCEA94FBA13900B561C7C55)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://onedrive.live.com/download?cid=7FA6B3"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.5679272163.000000000302B000.00000004.00000020.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000003.00000002.1038188324.00000000022D0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      0000000F.00000000.759017370.0000000002CE0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        Process Memory Space: ieinstal.exe PID: 5020JoeSecurity_RemcosYara detected Remcos RATJoe Security

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000003.00000002.1038188324.00000000022D0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?cid=7FA6B3"}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exeVirustotal: Detection: 39%Perma Link
          Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exeReversingLabs: Detection: 27%
          Yara detected Remcos RATShow sources
          Source: Yara matchFile source: 0000000F.00000002.5679272163.000000000302B000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ieinstal.exe PID: 5020, type: MEMORYSTR
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Agerhnsjagtfi\Countysygej.exeVirustotal: Detection: 39%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\Agerhnsjagtfi\Countysygej.exeReversingLabs: Detection: 27%
          Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: https://onedrive.live.com/download?cid=7FA6B3
          Uses dynamic DNS servicesShow sources
          Source: unknownDNS query: name: olufem.ddns.net
          Source: Joe Sandbox ViewASN Name: TMNET-AS-APTMNetInternetServiceProviderMY TMNET-AS-APTMNetInternetServiceProviderMY
          Source: global trafficTCP traffic: 192.168.11.20:49768 -> 124.82.81.98:6111
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: ieinstal.exe, 0000000F.00000003.951398551.0000000002FD8000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5677573236.0000000002FD8000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
          Source: ieinstal.exe, 0000000F.00000003.951398551.0000000002FD8000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5677573236.0000000002FD8000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: ieinstal.exe, 0000000F.00000003.951398551.0000000002FD8000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5677573236.0000000002FD8000.00000004.00000020.sdmpString found in binary or memory: https://7ybh4q.bn.files.1drv.com/
          Source: ieinstal.exe, 0000000F.00000003.951398551.0000000002FD8000.00000004.00000001.sdmpString found in binary or memory: https://7ybh4q.bn.files.1drv.com/D
          Source: ieinstal.exe, 0000000F.00000002.5677573236.0000000002FD8000.00000004.00000020.sdmpString found in binary or memory: https://7ybh4q.bn.files.1drv.com/f
          Source: ieinstal.exe, 0000000F.00000003.951398551.0000000002FD8000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5677573236.0000000002FD8000.00000004.00000020.sdmp, ieinstal.exe, 0000000F.00000003.951864678.0000000003030000.00000004.00000001.sdmpString found in binary or memory: https://7ybh4q.bn.files.1drv.com/y4mrYMhoGbjFe4lMap9L9LeL2yBCYdzRMAuRmtg6XK6YTbK2Pi7yHWQHU8EnZiLbINN
          Source: ieinstal.exe, 0000000F.00000002.5674818296.0000000002F58000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/
          Source: ieinstal.exe, 0000000F.00000002.5674818296.0000000002F58000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/E
          Source: ieinstal.exe, 0000000F.00000002.5681941208.0000000004970000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=7FA6B3539DFD0E74&resid=7FA6B3539DFD0E74%211122&authkey=AFlmPX
          Source: unknownDNS traffic detected: queries for: onedrive.live.com

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Installs a global keyboard hookShow sources
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeWindows user hook set: 0 keyboard low level C:\Program Files (x86)\internet explorer\ieinstal.exeJump to behavior

          E-Banking Fraud:

          barindex
          Yara detected Remcos RATShow sources
          Source: Yara matchFile source: 0000000F.00000002.5679272163.000000000302B000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ieinstal.exe PID: 5020, type: MEMORYSTR

          System Summary:

          barindex
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe
          Source: initial sampleStatic PE information: Filename: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe
          Executable has a suspicious name (potential lure to open the executable)Show sources
          Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exeStatic file information: Suspicious name
          Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DD82A3_2_022DD82A
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D88633_2_022D8863
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DB5A03_2_022DB5A0
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DFDCF3_2_022DFDCF
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DEA2B3_2_022DEA2B
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D1E673_2_022D1E67
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D12723_2_022D1272
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D1E5C3_2_022D1E5C
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DDF393_2_022DDF39
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D6F343_2_022D6F34
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D6F0E3_2_022D6F0E
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DD76D3_2_022DD76D
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DDF763_2_022DDF76
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DDF443_2_022DDF44
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D67AF3_2_022D67AF
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DDFA43_2_022DDFA4
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D47EF3_2_022D47EF
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D6FF33_2_022D6FF3
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D67C63_2_022D67C6
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DD82C3_2_022DD82C
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D78243_2_022D7824
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D68203_2_022D6820
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DF0323_2_022DF032
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D481B3_2_022D481B
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DD8633_2_022DD863
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DD8BF3_2_022DD8BF
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DB48A3_2_022DB48A
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D70933_2_022D7093
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D08F93_2_022D08F9
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DD8CC3_2_022DD8CC
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D48C33_2_022D48C3
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D70DE3_2_022D70DE
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D49333_2_022D4933
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DD9033_2_022DD903
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D49673_2_022D4967
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D09433_2_022D0943
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D495D3_2_022D495D
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D85563_2_022D8556
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DB5AB3_2_022DB5AB
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D11B13_2_022D11B1
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D498F3_2_022D498F
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D41F73_2_022D41F7
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D11F33_2_022D11F3
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D41C03_2_022D41C0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_02CF071015_2_02CF0710
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DD82A NtAllocateVirtualMemory,3_2_022DD82A
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D8863 NtWriteVirtualMemory,3_2_022D8863
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DF872 NtProtectVirtualMemory,3_2_022DF872
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DDA3B NtAllocateVirtualMemory,3_2_022DDA3B
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DDA6A NtAllocateVirtualMemory,3_2_022DDA6A
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DDAA6 NtAllocateVirtualMemory,3_2_022DDAA6
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DDAD3 NtAllocateVirtualMemory,3_2_022DDAD3
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DDB38 NtAllocateVirtualMemory,3_2_022DDB38
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DDB00 NtAllocateVirtualMemory,3_2_022DDB00
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DDB76 NtAllocateVirtualMemory,3_2_022DDB76
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DDBC7 NtAllocateVirtualMemory,3_2_022DDBC7
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DD82C NtAllocateVirtualMemory,3_2_022DD82C
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DDC13 NtAllocateVirtualMemory,3_2_022DDC13
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DD863 NtAllocateVirtualMemory,3_2_022DD863
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D887B NtWriteVirtualMemory,3_2_022D887B
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DD8BF NtAllocateVirtualMemory,3_2_022DD8BF
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DD8CC NtAllocateVirtualMemory,3_2_022DD8CC
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DD93B NtAllocateVirtualMemory,3_2_022DD93B
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DD903 NtAllocateVirtualMemory,3_2_022DD903
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D896B NtWriteVirtualMemory,3_2_022D896B
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DD9B2 NtAllocateVirtualMemory,3_2_022DD9B2
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DD983 NtAllocateVirtualMemory,3_2_022DD983
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DD9E5 NtAllocateVirtualMemory,3_2_022DD9E5
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_02CF0B83 Sleep,NtProtectVirtualMemory,15_2_02CF0B83
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_02CF0C78 NtProtectVirtualMemory,15_2_02CF0C78
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_02CF0CC8 NtProtectVirtualMemory,15_2_02CF0CC8
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_02CF0C47 NtProtectVirtualMemory,15_2_02CF0C47
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_02CF0BD8 NtProtectVirtualMemory,15_2_02CF0BD8
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_02CF0D17 NtProtectVirtualMemory,15_2_02CF0D17
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_02CF0C7F NtProtectVirtualMemory,15_2_02CF0C7F
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_02CF0C77 NtProtectVirtualMemory,15_2_02CF0C77
          Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000000.602674209.000000000041C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameGRUDGEFULUNNOT.exe vs Hong Tak Engineering SB Payment Receipt 241121_PDF.exe
          Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exeBinary or memory string: OriginalFilenameGRUDGEFULUNNOT.exe vs Hong Tak Engineering SB Payment Receipt 241121_PDF.exe
          Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Countysygej.exe.15.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeSection loaded: edgegdi.dllJump to behavior
          Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exeStatic PE information: invalid certificate
          Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exeVirustotal: Detection: 39%
          Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exeReversingLabs: Detection: 27%
          Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe"
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe"
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe" Jump to behavior
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile created: C:\Users\user\AppData\Roaming\wifitsklJump to behavior
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeFile created: C:\Users\user\AppData\Local\Temp\~DFDA925A6B9EAC6C8F.TMPJump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/3@10/1
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeMutant created: \Sessions\1\BaseNamedObjects\audiotsk-5IOG84

          Data Obfuscation:

          barindex
          Yara detected GuLoaderShow sources
          Source: Yara matchFile source: 00000003.00000002.1038188324.00000000022D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.759017370.0000000002CE0000.00000040.00000001.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_00407484 push 1002C579h; iretd 3_2_00407491
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_00404764 push esi; ret 3_2_0040488D
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D9605 push es; iretd 3_2_022D9615
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D5A4B pushad ; retf 3_2_022D5A4E
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D037F push ds; ret 3_2_022D0516
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D03BB push ds; ret 3_2_022D0516
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D0383 push ds; ret 3_2_022D0516
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022DA7FF push cs; iretd 3_2_022DA806
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D043F push ds; ret 3_2_022D0516
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D0403 push ds; ret 3_2_022D0516
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D046F push ds; ret 3_2_022D0516
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D04A7 push ds; ret 3_2_022D0516
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D04EC push ds; ret 3_2_022D0516
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D0CD1 push ds; ret 3_2_022D0D73
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D0CD3 push ds; ret 3_2_022D0D73
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D116B pushfd ; iretd 3_2_022D116C
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D95F5 push es; iretd 3_2_022D9615
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeFile created: \hong tak engineering sb payment receipt 241121_pdf.exe
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeFile created: \hong tak engineering sb payment receipt 241121_pdf.exeJump to behavior
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile created: C:\Users\user\AppData\Local\Temp\Agerhnsjagtfi\Countysygej.exeJump to dropped file
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TanadarforureningsJump to behavior
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TanadarforureningsJump to behavior
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect Any.runShow sources
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039492404.0000000002CF0000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WIN64; X64) APPLEWEBKIT/537.36 (KHTML, LIKE GECKO) CHROME/91.0.4472.124 SAFARI/537.36SHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLL
          Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039492404.0000000002CF0000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5681941208.0000000004970000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
          Source: ieinstal.exe, 0000000F.00000002.5681941208.0000000004970000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WIN64; X64) APPLEWEBKIT/537.36 (KHTML, LIKE GECKO) CHROME/91.0.4472.124 SAFARI/537.36SHELL32ADVAPI32TEMP=\COUNTYSYGEJ.EXE\AGERHNSJAGTFISOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNTANADARFORURENINGSHTTPS://ONEDRIVE.LIVE.COM/DOWNLOAD?CID=7FA6B3539DFD0E74&RESID=7FA6B3539DFD0E74%211122&AUTHKEY=AFLMPX3MS1VU7IU
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 8196Thread sleep count: 9176 > 30Jump to behavior
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 8196Thread sleep time: -45880s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeThread sleep count: Count: 9176 delay: -5Jump to behavior
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeCode function: 3_2_022D4123 rdtsc 3_2_022D4123
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeWindow / User API: threadDelayed 9176Jump to behavior
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeWindow / User API: foregroundWindowGot 673Jump to behavior
          Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exeSystem information queried: ModuleInformationJump to behavior
          Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039593867.0000000003249000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
          Source: ieinstal.exe, 0000000F.00000002.5674818296.0000000002F58000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW8
          Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039593867.0000000003249000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
          Source: ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
          Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039593867.0000000003249000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
          Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039492404.0000000002CF0000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36shell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dll
          Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039593867.0000000003249000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
          Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039593867.0000000003249000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
          Source: ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmpBinary or memory string: vmicvss
          Source: ieinstal.exe, 0000000F.00000002.5677340949.0000000002FC9000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
          Source: ieinstal.exe, 0000000F.00000002.5681941208.0000000004970000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36shell32advapi32TEMP=\Countysygej.exe\AgerhnsjagtfiSoftware\Microsoft\Windows\CurrentVersion\RunTanadarforureningshttps://onedrive.live.com/download?cid=7FA6B3539DFD0E74&resid=7FA6B3539DFD0E74%211122&authkey=AFlmPX3ms1Vu7IU
          Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039492404.0000000002CF0000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5681941208.0000000004970000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
          Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039593867.0000000003249000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
          Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039593867.0000000003249000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
          Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039593867.0000000003249000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.0000