Source: 00000000.00000002.1175743788.00000000021A0000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://bgreenidaho.com/Crur/bin_TLiGMZYC180.bin"} |
Source: CI_PL_BL_ 4100675407_xls.exe |
ReversingLabs: Detection: 35% |
Source: CI_PL_BL_ 4100675407_xls.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://bgreenidaho.com/Crur/bin_TLiGMZYC180.bin |
Source: CI_PL_BL_ 4100675407_xls.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000000.00000002.1175536540.0000000000423000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameTornf2.exe vs CI_PL_BL_ 4100675407_xls.exe |
Source: CI_PL_BL_ 4100675407_xls.exe |
Binary or memory string: OriginalFilenameTornf2.exe vs CI_PL_BL_ 4100675407_xls.exe |
Source: CI_PL_BL_ 4100675407_xls.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 0_2_021AFF33 |
0_2_021AFF33 |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 0_2_021B0520 |
0_2_021B0520 |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 0_2_021AA749 |
0_2_021AA749 |
Source: CI_PL_BL_ 4100675407_xls.exe |
ReversingLabs: Detection: 35% |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
File created: C:\Users\user\AppData\Local\Temp\~DF86C6EDC191096B55.TMP |
Jump to behavior |
Source: CI_PL_BL_ 4100675407_xls.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: classification engine |
Classification label: mal72.troj.evad.winEXE@1/1@0/0 |
Source: Yara match |
File source: 00000000.00000002.1175743788.00000000021A0000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 0_2_004074C8 push 713BC6CEh; iretd |
0_2_004074D6 |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 0_2_00406CDB push esi; ret |
0_2_00406CDC |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 0_2_004095C1 push 74E4E9CEh; iretd |
0_2_004095C6 |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 0_2_00407DA1 push E5AD70CEh; retf |
0_2_00407DA6 |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 0_2_0040966A pushad ; iretd |
0_2_0040979D |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 0_2_00405E18 push eax; retf |
0_2_00405E19 |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 0_2_00407A19 push ADDCA7CEh; iretd |
0_2_00407A1E |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 0_2_0040968D pushad ; iretd |
0_2_0040979D |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 0_2_021A2807 push FFFFFFABh; ret |
0_2_021A2879 |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 0_2_021A282C push FFFFFFABh; ret |
0_2_021A2879 |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 0_2_021A4E4E push es; iretd |
0_2_021A4E4F |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 0_2_021A54AB push cs; iretd |
0_2_021A54F8 |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 0_2_021A5396 push edi; ret |
0_2_021A5397 |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 0_2_021B0A39 rdtsc |
0_2_021B0A39 |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 0_2_021AF77C mov eax, dword ptr fs:[00000030h] |
0_2_021AF77C |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 0_2_021B0A39 rdtsc |
0_2_021B0A39 |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000000.00000002.1175637395.0000000000C60000.00000002.00020000.sdmp |
Binary or memory string: Program Manager |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000000.00000002.1175637395.0000000000C60000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000000.00000002.1175637395.0000000000C60000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000000.00000002.1175637395.0000000000C60000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |