Play interactive tour

Edit tour

Windows Analysis Report Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Overview

General Information

Sample Name:	Hong Tak Engineering SB Payment Receipt 241121_PDF.exe
Analysis ID:	528205
MD5:	b2e24bc0f1f55f2ac9d8034098dfe32f
SHA1:	4a20778acf6d512792077dc339f23acfbdf22875
SHA256:	d5ace58c68d1ff767b284deb172b5ce0550e96023a509a171fa7b34f0929b8e0
Infos:
Most interesting Screenshot:

Detection

GuLoader Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Remcos RAT

Multi AV Scanner detection for dropped file

Yara detected GuLoader

Hides threads from debuggers

Installs a global keyboard hook

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Executable has a suspicious name (potential lure to open the executable)

C2 URLs / IPs found in malware configuration

Uses dynamic DNS services

Uses 32bit PE files

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Sleep loop found (likely to delay execution)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to call native functions

Creates processes with suspicious names

Contains functionality for execution timing, often used to detect debuggers

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

PE / OLE file has an invalid certificate

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64native

Hong Tak Engineering SB Payment Receipt 241121_PDF.exe (PID: 3648 cmdline: "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe" MD5: B2E24BC0F1F55F2AC9D8034098DFE32F)

ieinstal.exe (PID: 5020 cmdline: "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe" MD5: 7871873BABCEA94FBA13900B561C7C55)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://onedrive.live.com/download?cid=7FA6B3"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000000F.00000002.5679272163.000000000302B000.00000004.00000020.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000003.00000002.1038188324.00000000022D0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000000F.00000000.759017370.0000000002CE0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: ieinstal.exe PID: 5020	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000003.00000002.1038188324.00000000022D0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?cid=7FA6B3"}

Multi AV Scanner detection for submitted file

Show sources

Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Virustotal: Detection: 39%			Perma Link
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	ReversingLabs: Detection: 27%

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 0000000F.00000002.5679272163.000000000302B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ieinstal.exe PID: 5020, type: MEMORYSTR

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\Agerhnsjagtfi\Countysygej.exe	Virustotal: Detection: 39%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\Agerhnsjagtfi\Countysygej.exe	ReversingLabs: Detection: 27%

Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://onedrive.live.com/download?cid=7FA6B3

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: olufem.ddns.net

Source: Joe Sandbox View

ASN Name: TMNET-AS-APTMNetInternetServiceProviderMY TMNET-AS-APTMNetInternetServiceProviderMY

Source: global traffic

TCP traffic: 192.168.11.20:49768 -> 124.82.81.98:6111

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: ieinstal.exe, 0000000F.00000003.951398551.0000000002FD8000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5677573236.0000000002FD8000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: ieinstal.exe, 0000000F.00000003.951398551.0000000002FD8000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5677573236.0000000002FD8000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ieinstal.exe, 0000000F.00000003.951398551.0000000002FD8000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5677573236.0000000002FD8000.00000004.00000020.sdmp	String found in binary or memory: https://7ybh4q.bn.files.1drv.com/
Source: ieinstal.exe, 0000000F.00000003.951398551.0000000002FD8000.00000004.00000001.sdmp	String found in binary or memory: https://7ybh4q.bn.files.1drv.com/D
Source: ieinstal.exe, 0000000F.00000002.5677573236.0000000002FD8000.00000004.00000020.sdmp	String found in binary or memory: https://7ybh4q.bn.files.1drv.com/f
Source: ieinstal.exe, 0000000F.00000003.951398551.0000000002FD8000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5677573236.0000000002FD8000.00000004.00000020.sdmp, ieinstal.exe, 0000000F.00000003.951864678.0000000003030000.00000004.00000001.sdmp	String found in binary or memory: https://7ybh4q.bn.files.1drv.com/y4mrYMhoGbjFe4lMap9L9LeL2yBCYdzRMAuRmtg6XK6YTbK2Pi7yHWQHU8EnZiLbINN
Source: ieinstal.exe, 0000000F.00000002.5674818296.0000000002F58000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/
Source: ieinstal.exe, 0000000F.00000002.5674818296.0000000002F58000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/E
Source: ieinstal.exe, 0000000F.00000002.5681941208.0000000004970000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.com/download?cid=7FA6B3539DFD0E74&resid=7FA6B3539DFD0E74%211122&authkey=AFlmPX

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Windows user hook set: 0 keyboard low level C:\Program Files (x86)\internet explorer\ieinstal.exe

E-Banking Fraud:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 0000000F.00000002.5679272163.000000000302B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ieinstal.exe PID: 5020, type: MEMORYSTR

System Summary:

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample	Static PE information: Filename: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe
Source: initial sample	Static PE information: Filename: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Static file information: Suspicious name

Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DD82A
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D8863
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DB5A0
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DFDCF
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DEA2B
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D1E67
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D1272
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D1E5C
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DDF39
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D6F34
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D6F0E
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DD76D
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DDF76
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DDF44
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D67AF
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DDFA4
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D47EF
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D6FF3
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D67C6
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DD82C
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D7824
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D6820
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DF032
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D481B
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DD863
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DD8BF
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DB48A
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D7093
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D08F9
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DD8CC
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D48C3
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D70DE
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D4933
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DD903
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D4967
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D0943
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D495D
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D8556
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DB5AB
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D11B1
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D498F
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D41F7
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D11F3
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D41C0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 15_2_02CF0710

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DD82A NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D8863 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DF872 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DDA3B NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DDA6A NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DDAA6 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DDAD3 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DDB38 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DDB00 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DDB76 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DDBC7 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DD82C NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DDC13 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DD863 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D887B NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DD8BF NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DD8CC NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DD93B NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DD903 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D896B NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DD9B2 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DD983 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DD9E5 NtAllocateVirtualMemory,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 15_2_02CF0B83 Sleep,NtProtectVirtualMemory,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 15_2_02CF0C78 NtProtectVirtualMemory,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 15_2_02CF0CC8 NtProtectVirtualMemory,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 15_2_02CF0C47 NtProtectVirtualMemory,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 15_2_02CF0BD8 NtProtectVirtualMemory,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 15_2_02CF0D17 NtProtectVirtualMemory,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 15_2_02CF0C7F NtProtectVirtualMemory,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 15_2_02CF0C77 NtProtectVirtualMemory,

Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000000.602674209.000000000041C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameGRUDGEFULUNNOT.exe vs Hong Tak Engineering SB Payment Receipt 241121_PDF.exe
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Binary or memory string: OriginalFilenameGRUDGEFULUNNOT.exe vs Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Countysygej.exe.15.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Section loaded: edgegdi.dll
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section loaded: edgegdi.dll

Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Static PE information: invalid certificate

Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Virustotal: Detection: 39%
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	ReversingLabs: Detection: 27%

Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: unknown	Process created: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe"
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe"
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe"

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

File created: C:\Users\user\AppData\Roaming\wifitskl

Jump to behavior

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

File created: C:\Users\user\AppData\Local\Temp\~DFDA925A6B9EAC6C8F.TMP

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/3@10/1

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Mutant created: \Sessions\1\BaseNamedObjects\audiotsk-5IOG84

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000003.00000002.1038188324.00000000022D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.759017370.0000000002CE0000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_00407484 push 1002C579h; iretd
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_00404764 push esi; ret
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D9605 push es; iretd
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D5A4B pushad ; retf
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D037F push ds; ret
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D03BB push ds; ret
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D0383 push ds; ret
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DA7FF push cs; iretd
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D043F push ds; ret
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D0403 push ds; ret
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D046F push ds; ret
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D04A7 push ds; ret
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D04EC push ds; ret
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D0CD1 push ds; ret
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D0CD3 push ds; ret
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D116B pushfd ; iretd
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D95F5 push es; iretd

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	File created: \hong tak engineering sb payment receipt 241121_pdf.exe
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	File created: \hong tak engineering sb payment receipt 241121_pdf.exe

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

File created: C:\Users\user\AppData\Local\Temp\Agerhnsjagtfi\Countysygej.exe

Jump to dropped file

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tanadarforurenings			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tanadarforurenings			Jump to behavior

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039492404.0000000002CF0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WIN64; X64) APPLEWEBKIT/537.36 (KHTML, LIKE GECKO) CHROME/91.0.4472.124 SAFARI/537.36SHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLL
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039492404.0000000002CF0000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5681941208.0000000004970000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: ieinstal.exe, 0000000F.00000002.5681941208.0000000004970000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WIN64; X64) APPLEWEBKIT/537.36 (KHTML, LIKE GECKO) CHROME/91.0.4472.124 SAFARI/537.36SHELL32ADVAPI32TEMP=\COUNTYSYGEJ.EXE\AGERHNSJAGTFISOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNTANADARFORURENINGSHTTPS://ONEDRIVE.LIVE.COM/DOWNLOAD?CID=7FA6B3539DFD0E74&RESID=7FA6B3539DFD0E74%211122&AUTHKEY=AFLMPX3MS1VU7IU

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 8196	Thread sleep count: 9176 > 30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 8196	Thread sleep time: -45880s >= -30000s

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Thread sleep count: Count: 9176 delay: -5

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Code function: 3_2_022D4123 rdtsc

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Window / User API: threadDelayed 9176
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Window / User API: foregroundWindowGot 673

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

System information queried: ModuleInformation

Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039593867.0000000003249000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: ieinstal.exe, 0000000F.00000002.5674818296.0000000002F58000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW8
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039593867.0000000003249000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmp	Binary or memory string: vmicshutdown
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039593867.0000000003249000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039492404.0000000002CF0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36shell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dll
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039593867.0000000003249000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039593867.0000000003249000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmp	Binary or memory string: vmicvss
Source: ieinstal.exe, 0000000F.00000002.5677340949.0000000002FC9000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: ieinstal.exe, 0000000F.00000002.5681941208.0000000004970000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36shell32advapi32TEMP=\Countysygej.exe\AgerhnsjagtfiSoftware\Microsoft\Windows\CurrentVersion\RunTanadarforureningshttps://onedrive.live.com/download?cid=7FA6B3539DFD0E74&resid=7FA6B3539DFD0E74%211122&authkey=AFlmPX3ms1Vu7IU
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039492404.0000000002CF0000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5681941208.0000000004970000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039593867.0000000003249000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039593867.0000000003249000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039593867.0000000003249000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: ieinstal.exe, 0000000F.00000002.5674818296.0000000002F58000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWVY
Source: ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmp	Binary or memory string: vmicheartbeat

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Code function: 3_2_022D4123 rdtsc

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DEA2B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DC345 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022D9889 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Code function: 3_2_022DD108 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Code function: 3_2_022DAD16 LdrInitializeThunk,

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2CE0000

Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe"

Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp	Binary or memory string: Program Managers.net:6111E
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp	Binary or memory string: Program Managers.net:6111
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp, ieinstal.exe, 0000000F.00000002.5680749572.0000000003560000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp	Binary or memory string: Program ManagerEM t8
Source: ieinstal.exe, 0000000F.00000002.5680749572.0000000003560000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp	Binary or memory string: Program Manager1064_03
Source: ieinstal.exe, 0000000F.00000002.5680749572.0000000003560000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp	Binary or memory string: Program ManagerModules.`
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp	Binary or memory string: Program ManagerEM
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp	Binary or memory string: Program ManagernsoleS5`
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp	Binary or memory string: Program Manageroca
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp	Binary or memory string: Program Manager\Users\<`
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp	Binary or memory string: Program Managers.net:61118
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp	Binary or memory string: Program Managerpc
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp	Binary or memory string: Program Managers.net:6111U
Source: ieinstal.exe, 0000000F.00000002.5680749572.0000000003560000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp	Binary or memory string: Program Managers.net:
Source: ieinstal.exe, 0000000F.00000002.5674818296.0000000002F58000.00000004.00000020.sdmp, logs.dat.15.dr	Binary or memory string: [Program Manager]

Stealing of Sensitive Information:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 0000000F.00000002.5679272163.000000000302B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ieinstal.exe PID: 5020, type: MEMORYSTR

Remote Access Functionality:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 0000000F.00000002.5679272163.000000000302B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ieinstal.exe PID: 5020, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Registry Run Keys / Startup Folder1	Process Injection112	Masquerading1	Input Capture11	Security Software Discovery421	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	DLL Side-Loading1	Registry Run Keys / Startup Folder1	Virtualization/Sandbox Evasion23	LSASS Memory	Virtualization/Sandbox Evasion23	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	DLL Side-Loading1	Process Injection112	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol21	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	DLL Side-Loading1	LSA Secrets	System Information Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	40%	Virustotal		Browse
Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	27%	ReversingLabs	Win32.Downloader.GuLoader

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Agerhnsjagtfi\Countysygej.exe	40%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\Agerhnsjagtfi\Countysygej.exe	27%	ReversingLabs	Win32.Downloader.GuLoader

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
olufem.ddns.net	124.82.81.98	true	true	unknown
onedrive.live.com	unknown	unknown	false	high
7ybh4q.bn.files.1drv.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://onedrive.live.com/download?cid=7FA6B3	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://onedrive.live.com/download?cid=7FA6B3539DFD0E74&resid=7FA6B3539DFD0E74%211122&authkey=AFlmPX	ieinstal.exe, 0000000F.00000002.5681941208.0000000004970000.00000004.00000001.sdmp	false	high
https://7ybh4q.bn.files.1drv.com/D	ieinstal.exe, 0000000F.00000003.951398551.0000000002FD8000.00000004.00000001.sdmp	false	high
https://7ybh4q.bn.files.1drv.com/	ieinstal.exe, 0000000F.00000003.951398551.0000000002FD8000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5677573236.0000000002FD8000.00000004.00000020.sdmp	false	high
https://7ybh4q.bn.files.1drv.com/f	ieinstal.exe, 0000000F.00000002.5677573236.0000000002FD8000.00000004.00000020.sdmp	false	high
https://7ybh4q.bn.files.1drv.com/y4mrYMhoGbjFe4lMap9L9LeL2yBCYdzRMAuRmtg6XK6YTbK2Pi7yHWQHU8EnZiLbINN	ieinstal.exe, 0000000F.00000003.951398551.0000000002FD8000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5677573236.0000000002FD8000.00000004.00000020.sdmp, ieinstal.exe, 0000000F.00000003.951864678.0000000003030000.00000004.00000001.sdmp	false	high
https://onedrive.live.com/E	ieinstal.exe, 0000000F.00000002.5674818296.0000000002F58000.00000004.00000020.sdmp	false	high
https://onedrive.live.com/	ieinstal.exe, 0000000F.00000002.5674818296.0000000002F58000.00000004.00000020.sdmp	false	high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
124.82.81.98	olufem.ddns.net	Malaysia		4788	TMNET-AS-APTMNetInternetServiceProviderMY	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	528205
Start date:	24.11.2021
Start time:	21:11:59
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 43s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Hong Tak Engineering SB Payment Receipt 241121_PDF.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/3@10/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 75% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MusNotification.exe, dllhost.exe, RuntimeBroker.exe, BdeUISrv.exe, SIHClient.exe, backgroundTaskHost.exe, MoUsoCoreWorker.exe, MusNotificationUx.exe, IntelPTTEKRecertification.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 51.105.236.244, 20.82.207.122, 13.107.42.13, 13.107.43.12 Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, slscr.update.microsoft.com, arc.msn.com, odc-bn-files-geo.onedrive.akadns.net, l-0004.l-msedge.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, login.live.com, continuum.dds.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, bn-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, odc-web-geo.onedrive.akadns.net, odc-bn-files-brs.onedrive.akadns.net, tile-service.weather.microsoft.com, wd-prod-cp-eu-north-2-fe.northeurope.cloudapp.azure.com, l-0003.dc-msedge.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, wdcp.microsoft.com, wd-prod-cp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, ris.api.iris.microsoft.com, wdcpalt.microsoft.com, evoke-windowsservices-tas.msedge.net, wd-prod-cp-eu-west-1-fe.westeurope.cloudapp.azure.com, nexusrules.officeapps.live.com, manage.devcenter.microsoft.com Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:15:22	Task Scheduler	Run new task: Intel PTT EK Recertification path: "C:\Windows\System32\DriverStore\FileRepository\iclsclient.inf_amd64_75ffca5eec865b4b\lib\IntelPTTEKRecertification.exe"
21:15:54	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Tanadarforurenings C:\Users\user\AppData\Local\Temp\Agerhnsjagtfi\Countysygej.exe
21:16:02	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Tanadarforurenings C:\Users\user\AppData\Local\Temp\Agerhnsjagtfi\Countysygej.exe

Joe Sandbox View / Context

IPs

No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
olufem.ddns.net	EASTWAY COMNAGA SB PAYMENT BANK IN SLIP 250521_PDF.exe	Get hash	malicious	Browse	192.253.242.6

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TMNET-AS-APTMNetInternetServiceProviderMY	8WJ1mWaBwN	Get hash	malicious	Browse	60.49.58.145
	j9ZfvcmyKN	Get hash	malicious	Browse	1.32.15.223
	jJE7aD1zME	Get hash	malicious	Browse	219.93.31.44
	SSIuSyaBAF	Get hash	malicious	Browse	210.187.51.227
	arm-20211121-1750	Get hash	malicious	Browse	175.145.81.50
	Z4GtdTRjuR	Get hash	malicious	Browse	175.139.103.110
	4IjC16LtGD	Get hash	malicious	Browse	60.51.38.70
	n3586AtaJ2	Get hash	malicious	Browse	110.159.188.159
	XLKPMXNVFz	Get hash	malicious	Browse	60.49.58.145
	uranium.arm	Get hash	malicious	Browse	115.133.184.135
	6czmI0PCR3	Get hash	malicious	Browse	202.188.38.151
	hIejwF53zt	Get hash	malicious	Browse	219.93.199.24
	arm7	Get hash	malicious	Browse	175.143.137.156
	arm	Get hash	malicious	Browse	219.95.72.247
	TAwWC6sZFE	Get hash	malicious	Browse	42.189.114.232
	he7hRoAnnx	Get hash	malicious	Browse	175.143.137.179
	mips	Get hash	malicious	Browse	115.132.43.74
	0v5QUcQFnC	Get hash	malicious	Browse	1.32.134.252
	arm5-20211114-0109	Get hash	malicious	Browse	175.139.159.156
	0tCtZXUxNW	Get hash	malicious	Browse	118.101.211.234

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Agerhnsjagtfi\Countysygej.exe Download File
Process:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	128816
Entropy (8bit):	5.999498053134024
Encrypted:	false
SSDEEP:	1536:I+3sCKWgen7J84YCrMYpNxXeBwodguvRZkVT7yaBOJzFHKAgYX5:I1PX0JLHrJNvoPvoVT58JzFh5
MD5:	B2E24BC0F1F55F2AC9D8034098DFE32F
SHA1:	4A20778ACF6D512792077DC339F23ACFBDF22875
SHA-256:	D5ACE58C68D1FF767B284DEB172B5CE0550E96023A509A171FA7B34F0929B8E0
SHA-512:	01DBC321743ACF74EF5557F9429D26AA5892B196C695A5E4ED0342D626C4E98A650D01729975D20812653EDAF5295FDC7484A43949738D9DE5EFFDB1DCB7B896
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 40%, Browse Antivirus: ReversingLabs, Detection: 27%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........u..&..&..&T.&..&..&..&..&..&Rich..&................PE..L......V.....................`...... .............@..................................A......................................d...(.......<7..............0...................................................0... ....................................text...(........................... ..`.data...............................@....rsrc...<7.......@..................@..@..^............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFDA925A6B9EAC6C8F.TMP Download File
Process:	C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	1.3863194741075688
Encrypted:	false
SSDEEP:	96:GaabmG8CL3uSTdfPBeQaabmG8CL3uSTdf:i93jJBeU93j
MD5:	B3A27F74C52AC98DDE14EA7A804ECFD6
SHA1:	5F6D3F7644E0973D8A059AC228042EA60C507836
SHA-256:	F6C6736ACA8B6A743732E216DBB62B59B65DCBB0B6308B2B28D67706ABBC7F0C
SHA-512:	F7129070C7133C63C57BE7724B322B2A8F3FB6624F35B7A4E730DECD418E488CBF53292E845255DEDCFBA1502A0332D7DB17EF29D0E2A2A4DD345F87EECB36BE
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\wifitskl\logs.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
File Type:	data
Category:	dropped
Size (bytes):	144
Entropy (8bit):	3.3458058208756873
Encrypted:	false
SSDEEP:	3:rklKlFlUef4qClDl5JWRal2Jl+7R0DAlBG45klovDl6v:IlKPlPf4qCb5YcIeeDAlOWAv
MD5:	15929DC814DA0FBE525987A12E1802A8
SHA1:	AF68046542D879732F3D447B3046FD02D5B5EFC1
SHA-256:	3D48A06F43C9DC735B6174D4019EFBF866D9F11946A8D2F691CA7DF33460823F
SHA-512:	74C074F001B04538BE027C1E8FCE6F1CBC5A36D01083B3AB455DFDA14DC61850E12B816C5A4E9C7D3A22422E223E866306D874293DB157415B0C70DF3A1A8C3F
Malicious:	false
Reputation:	low
Preview:	....[.2.0.2.1./.1.1./.2.4. .2.1.:.1.6.:.0.3. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.999498053134024
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Hong Tak Engineering SB Payment Receipt 241121_PDF.exe
File size:	128816
MD5:	b2e24bc0f1f55f2ac9d8034098dfe32f
SHA1:	4a20778acf6d512792077dc339f23acfbdf22875
SHA256:	d5ace58c68d1ff767b284deb172b5ce0550e96023a509a171fa7b34f0929b8e0
SHA512:	01dbc321743acf74ef5557f9429d26aa5892b196c695a5e4ed0342d626c4e98a650d01729975d20812653edaf5295fdc7484a43949738d9de5effdb1dcb7b896
SSDEEP:	1536:I+3sCKWgen7J84YCrMYpNxXeBwodguvRZkVT7yaBOJzFHKAgYX5:I1PX0JLHrJNvoPvoVT58JzFh5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........u...&...&...&T..&...&...&...&...&...&Rich...&................PE..L......V.....................`...... .............@........

File Icon


Icon Hash:	42b97ce4f0e1f2e4

Static PE Info

General
Entrypoint:	0x401320
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x56BC1AFE [Thu Feb 11 05:24:14 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	995d60149de3040b4890e5871343f4eb

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=dykkerklokkeado@LOKALITET.Sk, CN=godkendelsesmil, OU=Iroquoianspri1, O=Klarissenobie, L=KEDECHRYSLEROVEREF, S=AFSPADSERING, C=SC
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	24/11/2021 04:20:15 24/11/2022 04:20:15
Subject Chain	E=dykkerklokkeado@LOKALITET.Sk, CN=godkendelsesmil, OU=Iroquoianspri1, O=Klarissenobie, L=KEDECHRYSLEROVEREF, S=AFSPADSERING, C=SC
Version:	3
Thumbprint MD5:	8ACCDE5BD3D9438F5ED6CE6C1979787E
Thumbprint SHA-1:	E6BE6E4C60B6588F4C337C033C6165C6914F3249
Thumbprint SHA-256:	A2E6DA055CC6C343D9251796595BC0A1882C21EC31DBD14C72A656EC419A4096
Serial:	00

Entrypoint Preview

Instruction
push 0040284Ch
call 00007F7778890783h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi-71919BE2h], al
inc esi
mov byte ptr [ecx-66h], cl
popfd
std
iretd
adc dword ptr [ebp+00003112h], eax
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
inc eax
add bh, byte ptr [eax]
or byte ptr [ecx+00h], al
inc esp
outsd
jnbe 00007F7778890800h
imul esp, dword ptr [ebp+73h], 6E6F6B74h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
add esp, ebx
mov byte ptr [DB0681D6h], al
mov eax, dword ptr [DCCA9944h]
clc
mov dword ptr [128312C7h], eax
sub eax, 4704A48Fh
scasd
dec ebp
test al, E0h
inc esi
xor eax, ecx
scasd
call 00007F7725D84231h
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
stosb
push cs
add byte ptr [eax], al
mov dword ptr [esi], ecx
add byte ptr [eax], al
add byte ptr [eax+eax], cl
push ebx
jne 00007F7778890800h
jbe 00007F77788907F9h
jc 00007F77788907FDh
xor dword ptr [eax], eax
or eax, 42000701h
popad

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x19264	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1c000	0x373c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1f000	0x730	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x230	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x118	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x18728	0x19000	False	0.47935546875	data	6.37312654175	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x1a000	0x1a94	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x1c000	0x373c	0x4000	False	0.217163085938	data	3.71594095347	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
SET	0x1d296	0x24a6	MS Windows icon resource - 3 icons, 24x24, 16 colors, 4 bits/pixel, 24x24, 8 bits/pixel	English	United States
RT_ICON	0x1c9ee	0x8a8	data
RT_ICON	0x1c486	0x568	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x1c464	0x22	data
RT_VERSION	0x1c170	0x2f4	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFPFix, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaObjVar, DllFunctionCall, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, __vbaR8Str, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaStrToAnsi, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaR8IntI4, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0404 0x04b0
LegalCopyright	Clamore
InternalName	GRUDGEFULUNNOT
FileVersion	1.00
CompanyName	Clamore
LegalTrademarks	Clamore
Comments	Clamore
ProductName	Clamore
ProductVersion	1.00
FileDescription	Clamore
OriginalFilename	GRUDGEFULUNNOT.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Chinese	Taiwan

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/24/21-21:16:03.943231	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	54993	1.1.1.1	192.168.11.20
11/24/21-21:17:10.219978	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	61388	1.1.1.1	192.168.11.20
11/24/21-21:18:16.486809	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	56392	1.1.1.1	192.168.11.20
11/24/21-21:19:22.754077	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	53851	1.1.1.1	192.168.11.20
11/24/21-21:20:29.035139	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	57069	1.1.1.1	192.168.11.20
11/24/21-21:21:35.301983	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	50763	1.1.1.1	192.168.11.20
11/24/21-21:22:41.570485	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	62805	1.1.1.1	192.168.11.20
11/24/21-21:23:47.834671	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	63500	1.1.1.1	192.168.11.20

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2021 21:16:03.944188118 CET	49768	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:16:04.954806089 CET	49768	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:16:06.969886065 CET	49768	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:16:10.984575987 CET	49768	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:16:18.998584032 CET	49768	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:16:26.054233074 CET	49776	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:16:27.059231997 CET	49776	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:16:29.058798075 CET	49776	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:16:33.073483944 CET	49776	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:16:41.087390900 CET	49776	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:16:48.120667934 CET	49783	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:16:49.132457972 CET	49783	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:16:51.147586107 CET	49783	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:16:55.162360907 CET	49783	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:17:03.176305056 CET	49783	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:17:10.221398115 CET	49786	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:17:11.221426964 CET	49786	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:17:13.236635923 CET	49786	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:17:17.251171112 CET	49786	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:17:25.265109062 CET	49786	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:17:32.297257900 CET	49789	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:17:33.310327053 CET	49789	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:17:35.325279951 CET	49789	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:17:39.340059042 CET	49789	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:17:47.353986025 CET	49789	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:17:54.386050940 CET	49791	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:17:55.399092913 CET	49791	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:17:57.414266109 CET	49791	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:18:01.429003000 CET	49791	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:18:09.442759037 CET	49791	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:18:16.487657070 CET	49793	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:18:17.487942934 CET	49793	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:18:19.503175020 CET	49793	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:18:23.522046089 CET	49793	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:18:31.531696081 CET	49793	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:18:38.563545942 CET	49796	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:18:39.576857090 CET	49796	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:18:41.591892958 CET	49796	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:18:45.606659889 CET	49796	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:18:53.620731115 CET	49796	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:19:00.652743101 CET	49799	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:19:01.665728092 CET	49799	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:19:03.680870056 CET	49799	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:19:07.695575953 CET	49799	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:19:15.709378004 CET	49799	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:19:22.755846024 CET	49800	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:19:23.770164013 CET	49800	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:19:25.785235882 CET	49800	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:19:29.800086021 CET	49800	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:19:37.814014912 CET	49800	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:19:44.845944881 CET	49802	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:19:45.859019995 CET	49802	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:19:47.874130964 CET	49802	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:19:51.889010906 CET	49802	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:19:59.902756929 CET	49802	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:20:06.934803963 CET	49805	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:20:07.947868109 CET	49805	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:20:09.963076115 CET	49805	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:20:13.977791071 CET	49805	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:20:21.991703987 CET	49805	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:20:29.036036968 CET	49807	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:20:30.036818027 CET	49807	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:20:32.051997900 CET	49807	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:20:36.066572905 CET	49807	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:20:44.080523014 CET	49807	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:20:51.112462997 CET	49808	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:20:52.125577927 CET	49808	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:20:54.140883923 CET	49808	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:20:58.155420065 CET	49808	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:21:06.169336081 CET	49808	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:21:13.201263905 CET	49810	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:21:14.214443922 CET	49810	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:21:16.229585886 CET	49810	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:21:20.244519949 CET	49810	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:21:28.258208990 CET	49810	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:21:35.302795887 CET	49813	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:21:36.303348064 CET	49813	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:21:38.318450928 CET	49813	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:21:42.333194971 CET	49813	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:21:50.347140074 CET	49813	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:21:57.379214048 CET	49821	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:21:58.392088890 CET	49821	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:22:00.407411098 CET	49821	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:22:04.422167063 CET	49821	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:22:12.435956001 CET	49821	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:22:19.469208956 CET	49824	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:22:20.480978966 CET	49824	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:22:22.496289968 CET	49824	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:22:26.510926962 CET	49824	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:22:34.524770975 CET	49824	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:22:41.571574926 CET	49827	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:22:42.585546017 CET	49827	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:22:44.600801945 CET	49827	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:22:48.615540981 CET	49827	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:22:56.629332066 CET	49827	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:23:03.661417007 CET	49830	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:23:04.674488068 CET	49830	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:23:06.689634085 CET	49830	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:23:10.704372883 CET	49830	6111	192.168.11.20	124.82.81.98
Nov 24, 2021 21:23:18.718188047 CET	49830	6111	192.168.11.20	124.82.81.98

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2021 21:15:56.838493109 CET	65394	53	192.168.11.20	1.1.1.1
Nov 24, 2021 21:15:57.603185892 CET	63507	53	192.168.11.20	1.1.1.1
Nov 24, 2021 21:16:03.931648970 CET	54993	53	192.168.11.20	1.1.1.1
Nov 24, 2021 21:16:03.943231106 CET	53	54993	1.1.1.1	192.168.11.20
Nov 24, 2021 21:17:10.207977057 CET	61388	53	192.168.11.20	1.1.1.1
Nov 24, 2021 21:17:10.219978094 CET	53	61388	1.1.1.1	192.168.11.20
Nov 24, 2021 21:18:16.474395037 CET	56392	53	192.168.11.20	1.1.1.1
Nov 24, 2021 21:18:16.486809015 CET	53	56392	1.1.1.1	192.168.11.20
Nov 24, 2021 21:19:22.741189957 CET	53851	53	192.168.11.20	1.1.1.1
Nov 24, 2021 21:19:22.754076958 CET	53	53851	1.1.1.1	192.168.11.20
Nov 24, 2021 21:20:29.023251057 CET	57069	53	192.168.11.20	1.1.1.1
Nov 24, 2021 21:20:29.035139084 CET	53	57069	1.1.1.1	192.168.11.20
Nov 24, 2021 21:21:35.289797068 CET	50763	53	192.168.11.20	1.1.1.1
Nov 24, 2021 21:21:35.301983118 CET	53	50763	1.1.1.1	192.168.11.20
Nov 24, 2021 21:22:41.556521893 CET	62805	53	192.168.11.20	1.1.1.1
Nov 24, 2021 21:22:41.570485115 CET	53	62805	1.1.1.1	192.168.11.20
Nov 24, 2021 21:23:47.822930098 CET	63500	53	192.168.11.20	1.1.1.1
Nov 24, 2021 21:23:47.834671021 CET	53	63500	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 24, 2021 21:15:56.838493109 CET	192.168.11.20	1.1.1.1	0x7c5f	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)
Nov 24, 2021 21:15:57.603185892 CET	192.168.11.20	1.1.1.1	0xb6f5	Standard query (0)	7ybh4q.bn.files.1drv.com	A (IP address)	IN (0x0001)
Nov 24, 2021 21:16:03.931648970 CET	192.168.11.20	1.1.1.1	0xcd2c	Standard query (0)	olufem.ddns.net	A (IP address)	IN (0x0001)
Nov 24, 2021 21:17:10.207977057 CET	192.168.11.20	1.1.1.1	0xf8f8	Standard query (0)	olufem.ddns.net	A (IP address)	IN (0x0001)
Nov 24, 2021 21:18:16.474395037 CET	192.168.11.20	1.1.1.1	0x77ac	Standard query (0)	olufem.ddns.net	A (IP address)	IN (0x0001)
Nov 24, 2021 21:19:22.741189957 CET	192.168.11.20	1.1.1.1	0x6f48	Standard query (0)	olufem.ddns.net	A (IP address)	IN (0x0001)
Nov 24, 2021 21:20:29.023251057 CET	192.168.11.20	1.1.1.1	0x5463	Standard query (0)	olufem.ddns.net	A (IP address)	IN (0x0001)
Nov 24, 2021 21:21:35.289797068 CET	192.168.11.20	1.1.1.1	0x2889	Standard query (0)	olufem.ddns.net	A (IP address)	IN (0x0001)
Nov 24, 2021 21:22:41.556521893 CET	192.168.11.20	1.1.1.1	0xdd45	Standard query (0)	olufem.ddns.net	A (IP address)	IN (0x0001)
Nov 24, 2021 21:23:47.822930098 CET	192.168.11.20	1.1.1.1	0x4b0f	Standard query (0)	olufem.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 24, 2021 21:15:56.848558903 CET	1.1.1.1	192.168.11.20	0x7c5f	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Nov 24, 2021 21:15:57.780812979 CET	1.1.1.1	192.168.11.20	0xb6f5	No error (0)	7ybh4q.bn.files.1drv.com	bn-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)
Nov 24, 2021 21:15:57.780812979 CET	1.1.1.1	192.168.11.20	0xb6f5	No error (0)	bn-files.fe.1drv.com	odc-bn-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Nov 24, 2021 21:16:03.943231106 CET	1.1.1.1	192.168.11.20	0xcd2c	No error (0)	olufem.ddns.net		124.82.81.98	A (IP address)	IN (0x0001)
Nov 24, 2021 21:17:10.219978094 CET	1.1.1.1	192.168.11.20	0xf8f8	No error (0)	olufem.ddns.net		124.82.81.98	A (IP address)	IN (0x0001)
Nov 24, 2021 21:18:16.486809015 CET	1.1.1.1	192.168.11.20	0x77ac	No error (0)	olufem.ddns.net		124.82.81.98	A (IP address)	IN (0x0001)
Nov 24, 2021 21:19:22.754076958 CET	1.1.1.1	192.168.11.20	0x6f48	No error (0)	olufem.ddns.net		124.82.81.98	A (IP address)	IN (0x0001)
Nov 24, 2021 21:20:29.035139084 CET	1.1.1.1	192.168.11.20	0x5463	No error (0)	olufem.ddns.net		124.82.81.98	A (IP address)	IN (0x0001)
Nov 24, 2021 21:21:35.301983118 CET	1.1.1.1	192.168.11.20	0x2889	No error (0)	olufem.ddns.net		124.82.81.98	A (IP address)	IN (0x0001)
Nov 24, 2021 21:22:41.570485115 CET	1.1.1.1	192.168.11.20	0xdd45	No error (0)	olufem.ddns.net		124.82.81.98	A (IP address)	IN (0x0001)
Nov 24, 2021 21:23:47.834671021 CET	1.1.1.1	192.168.11.20	0x4b0f	No error (0)	olufem.ddns.net		124.82.81.98	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe PID: 3648 Parent PID: 8652

General

Start time:	21:15:22
Start date:	24/11/2021
Path:	C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe"
Imagebase:	0x400000
File size:	128816 bytes
MD5 hash:	B2E24BC0F1F55F2AC9D8034098DFE32F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000003.00000002.1038188324.00000000022D0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: ieinstal.exe PID: 5020 Parent PID: 3648

General

Start time:	21:15:37
Start date:	24/11/2021
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe"
Imagebase:	0xc60000
File size:	480256 bytes
MD5 hash:	7871873BABCEA94FBA13900B561C7C55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.5679272163.000000000302B000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000F.00000000.759017370.0000000002CE0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Hong Tak Engineering SB Payment Receipt 241121_PDF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries