Source: 00000000.00000002.1183142322.0000000002160000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1U"} |
Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Virustotal: Detection: 53% |
Perma Link |
Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
ReversingLabs: Detection: 48% |
Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://drive.google.com/uc?export=download&id=1U |
Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe, 00000000.00000000.659576091.0000000000420000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameNulkomponent.exe vs BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Binary or memory string: OriginalFilenameNulkomponent.exe vs BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Code function: 0_2_00401538 |
0_2_00401538 |
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Code function: 0_2_00401774 |
0_2_00401774 |
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Code function: 0_2_00401727 |
0_2_00401727 |
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Code function: 0_2_0216D885 |
0_2_0216D885 |
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Code function: 0_2_02176965 |
0_2_02176965 |
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Code function: 0_2_0216CADD |
0_2_0216CADD |
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Code function: 0_2_02174BFA |
0_2_02174BFA |
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Code function: 0_2_02171413 |
0_2_02171413 |
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Code function: 0_2_02174166 |
0_2_02174166 |
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Code function: 0_2_0217659C |
0_2_0217659C |
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Code function: 0_2_0216E199 |
0_2_0216E199 |
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Code function: 0_2_0216D885 NtAllocateVirtualMemory, |
0_2_0216D885 |
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Process Stats: CPU usage > 98% |
Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Virustotal: Detection: 53% |
Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
ReversingLabs: Detection: 48% |
Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
File created: C:\Users\user\AppData\Local\Temp\~DF23DE6D885E469C5F.TMP |
Jump to behavior |
Source: classification engine |
Classification label: mal76.troj.evad.winEXE@1/1@0/0 |
Source: Yara match |
File source: 00000000.00000002.1183142322.0000000002160000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Code function: 0_2_00406C05 push esi; retf |
0_2_00406C06 |
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Code function: 0_2_004084FF push edi; iretd |
0_2_0040850A |
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Code function: 0_2_0040B96F push eax; retf |
0_2_0040B977 |
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Code function: 0_2_004091F4 push ds; retf |
0_2_004091F5 |
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Code function: 0_2_00403999 push 00000027h; iretd |
0_2_00403A72 |
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Code function: 0_2_00404E0F push eax; retf |
0_2_00404E41 |
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Code function: 0_2_00404A2F push ebp; iretd |
0_2_00404A51 |
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Code function: 0_2_00403AC3 push 00000027h; iretd |
0_2_00403A72 |
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Code function: 0_2_0216310B push es; ret |
0_2_0216310C |
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
RDTSC instruction interceptor: First address: 000000000216C8E2 second address: 000000000216C8E2 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 7B963D66h 0x00000007 xor eax, 1197335Eh 0x0000000c xor eax, 8E98B3CDh 0x00000011 add eax, 1B66420Ch 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F1AA4D4E17Fh 0x0000001e lfence 0x00000021 mov edx, 039CDF59h 0x00000026 xor edx, 6761231Bh 0x0000002c add edx, BDE9AE69h 0x00000032 xor edx, 5D19AABFh 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 add edi, edx 0x00000044 dec ecx 0x00000045 mov dword ptr [ebp+000001A9h], 42AF7243h 0x0000004f xor dword ptr [ebp+000001A9h], 94D84AF3h 0x00000059 add dword ptr [ebp+000001A9h], EA6232A4h 0x00000063 add dword ptr [ebp+000001A9h], 3F2694ACh 0x0000006d cmp ecx, dword ptr [ebp+000001A9h] 0x00000073 jne 00007F1AA4D4E05Ah 0x00000075 mov dword ptr [ebp+0000024Fh], edi 0x0000007b mov edi, ecx 0x0000007d push edi 0x0000007e mov edi, dword ptr [ebp+0000024Fh] 0x00000084 call 00007F1AA4D4E1DDh 0x00000089 call 00007F1AA4D4E1A0h 0x0000008e lfence 0x00000091 mov edx, 039CDF59h 0x00000096 xor edx, 6761231Bh 0x0000009c add edx, BDE9AE69h 0x000000a2 xor edx, 5D19AABFh 0x000000a8 mov edx, dword ptr [edx] 0x000000aa lfence 0x000000ad ret 0x000000ae mov esi, edx 0x000000b0 pushad 0x000000b1 rdtsc |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Code function: 0_2_0216CFD0 rdtsc |
0_2_0216CFD0 |
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Code function: 0_2_02172648 mov eax, dword ptr fs:[00000030h] |
0_2_02172648 |
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Code function: 0_2_02174BFA mov eax, dword ptr fs:[00000030h] |
0_2_02174BFA |
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Code function: 0_2_0217309A mov eax, dword ptr fs:[00000030h] |
0_2_0217309A |
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Code function: 0_2_0216C560 mov eax, dword ptr fs:[00000030h] |
0_2_0216C560 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Code function: 0_2_0216CFD0 rdtsc |
0_2_0216CFD0 |
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe |
Code function: 0_2_02176965 RtlAddVectoredExceptionHandler, |
0_2_02176965 |
Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe, 00000000.00000002.1183052033.0000000000C50000.00000002.00020000.sdmp |
Binary or memory string: Program Manager |
Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe, 00000000.00000002.1183052033.0000000000C50000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe, 00000000.00000002.1183052033.0000000000C50000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe, 00000000.00000002.1183052033.0000000000C50000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |