Windows Analysis Report Purchase Order PO20211027STK.exe

Overview

General Information

Sample Name: Purchase Order PO20211027STK.exe
Analysis ID: 531732
MD5: 2f2102ec5776497950e89e419515efee
SHA1: 1d3dd4ed88af22c3de29c918b37db6f0b73c94c4
SHA256: 7768da29cc4ef93cb4790f664e139d1d8c2972e22fe8840b6b86c50e15dba347
Tags: exeguloader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
GuLoader behavior detected
Yara detected GuLoader
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Abnormal high CPU Usage
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Found malware configuration
Source: 0000000A.00000000.509732142.0000000001300000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?cid=5A15FDA1AE98540B&r"}
Multi AV Scanner detection for submitted file
Source: Purchase Order PO20211027STK.exe ReversingLabs: Detection: 11%
Machine Learning detection for sample
Source: Purchase Order PO20211027STK.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: Purchase Order PO20211027STK.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Purchase Order PO20211027STK.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\SPORENE.pdb source: Purchase Order PO20211027STK.exe, 00000000.00000002.364244028.0000000000426000.00000004.00020000.sdmp, Purchase Order PO20211027STK.exe, 00000000.00000002.364228139.0000000000411000.00000004.00020000.sdmp, SPORENE.exe.0.dr
Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe Code function: 0_2_00406873 FindFirstFileW,FindClose, 0_2_00406873
Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C49
Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://onedrive.live.com/download?cid=5A15FDA1AE98540B&r
Source: Purchase Order PO20211027STK.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Purchase Order PO20211027STK.exe, 00000000.00000002.364244028.0000000000426000.00000004.00020000.sdmp, Purchase Order PO20211027STK.exe, 00000000.00000002.364228139.0000000000411000.00000004.00020000.sdmp, SPORENE.exe.0.dr String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Purchase Order PO20211027STK.exe, 00000000.00000002.364244028.0000000000426000.00000004.00020000.sdmp, Purchase Order PO20211027STK.exe, 00000000.00000002.364228139.0000000000411000.00000004.00020000.sdmp, SPORENE.exe.0.dr String found in binary or memory: http://s.symcd.com06
Source: Purchase Order PO20211027STK.exe, 00000000.00000002.364244028.0000000000426000.00000004.00020000.sdmp, Purchase Order PO20211027STK.exe, 00000000.00000002.364228139.0000000000411000.00000004.00020000.sdmp, SPORENE.exe.0.dr String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Purchase Order PO20211027STK.exe, 00000000.00000002.364244028.0000000000426000.00000004.00020000.sdmp, Purchase Order PO20211027STK.exe, 00000000.00000002.364228139.0000000000411000.00000004.00020000.sdmp, SPORENE.exe.0.dr String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Purchase Order PO20211027STK.exe, 00000000.00000002.364244028.0000000000426000.00000004.00020000.sdmp, Purchase Order PO20211027STK.exe, 00000000.00000002.364228139.0000000000411000.00000004.00020000.sdmp, SPORENE.exe.0.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Purchase Order PO20211027STK.exe, 00000000.00000002.364244028.0000000000426000.00000004.00020000.sdmp, Purchase Order PO20211027STK.exe, 00000000.00000002.364228139.0000000000411000.00000004.00020000.sdmp, SPORENE.exe.0.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: Purchase Order PO20211027STK.exe, 00000000.00000002.364244028.0000000000426000.00000004.00020000.sdmp, Purchase Order PO20211027STK.exe, 00000000.00000002.364228139.0000000000411000.00000004.00020000.sdmp, SPORENE.exe.0.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: Purchase Order PO20211027STK.exe, 00000000.00000002.364244028.0000000000426000.00000004.00020000.sdmp, Purchase Order PO20211027STK.exe, 00000000.00000002.364228139.0000000000411000.00000004.00020000.sdmp, SPORENE.exe.0.dr String found in binary or memory: https://d.symcb.com/rpa0.
Source: unknown DNS traffic detected: queries for: onedrive.live.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe Code function: 0_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004056DE

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Purchase Order PO20211027STK.exe
Executable has a suspicious name (potential lure to open the executable)
Source: Purchase Order PO20211027STK.exe Static file information: Suspicious name
Uses 32bit PE files
Source: Purchase Order PO20211027STK.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040352D
Detected potential crypto function
Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe Code function: 0_2_0040755C 0_2_0040755C
Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe Code function: 0_2_00406D85 0_2_00406D85
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe Code function: 2_2_00401724 2_2_00401724
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_0130C57E 10_2_0130C57E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_01313A78 10_2_01313A78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_0130CD7B 10_2_0130CD7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_01308F7F 10_2_01308F7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_013121A1 10_2_013121A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_01311990 10_2_01311990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_0130B198 10_2_0130B198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_01313632 10_2_01313632
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_0130880F 10_2_0130880F
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_0130C57E NtAllocateVirtualMemory, 10_2_0130C57E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_01313445 NtProtectVirtualMemory, 10_2_01313445
Abnormal high CPU Usage
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process Stats: CPU usage > 98%
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: Purchase Order PO20211027STK.exe, 00000000.00000002.364244028.0000000000426000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameSPORENE.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDNB10 vs Purchase Order PO20211027STK.exe
Source: Purchase Order PO20211027STK.exe, 00000000.00000002.364228139.0000000000411000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameSPORENE.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDNB10 vs Purchase Order PO20211027STK.exe
PE file contains strange resources
Source: SPORENE.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Purchase Order PO20211027STK.exe ReversingLabs: Detection: 11%
Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe File read: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe Jump to behavior
Source: Purchase Order PO20211027STK.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe "C:\Users\user\Desktop\Purchase Order PO20211027STK.exe"
Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe Process created: C:\Users\user\AppData\Local\Temp\SPORENE.exe C:\Users\user\AppData\Local\Temp\SPORENE.exe
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\AppData\Local\Temp\SPORENE.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe Process created: C:\Users\user\AppData\Local\Temp\SPORENE.exe C:\Users\user\AppData\Local\Temp\SPORENE.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\AppData\Local\Temp\SPORENE.exe Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040352D
Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe File created: C:\Users\user\AppData\Local\Temp\nsdBD47.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@6/1@2/0
Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe Code function: 0_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_0040498A
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6836:120:WilError_01
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Purchase Order PO20211027STK.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\SPORENE.pdb source: Purchase Order PO20211027STK.exe, 00000000.00000002.364244028.0000000000426000.00000004.00020000.sdmp, Purchase Order PO20211027STK.exe, 00000000.00000002.364228139.0000000000411000.00000004.00020000.sdmp, SPORENE.exe.0.dr

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 0000000A.00000000.509732142.0000000001300000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.626110069.0000000001300000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe Code function: 2_2_03F03DF2 push ebp; iretd 2_2_03F03E03
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe Code function: 2_2_03F018AA push es; retf 2_2_03F018AB
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe Code function: 2_2_03F00E2E push ebp; iretd 2_2_03F00E2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_0130136D push es; retf 10_2_013015D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_01301321 push es; retf 10_2_013015D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_01305B1D push esp; ret 10_2_01305B83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_0130130F push es; retf 10_2_013015D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_0130076A push ds; iretd 10_2_0130085B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_0130076D push ds; iretd 10_2_0130085B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_0130696E push eax; ret 10_2_0130696F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_0130494C push ds; iretd 10_2_0130494E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_013121A1 push es; retf 10_2_013015D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_01301590 push es; retf 10_2_013015D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_01303580 push edi; iretd 10_2_01303581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_01313582 push es; retf 10_2_013015D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_013049F4 pushfd ; ret 10_2_01304A92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_013075E0 push es; retf 10_2_013075F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_013007C0 push ds; iretd 10_2_0130085B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_013033C9 push esp; ret 10_2_013033CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_01304A31 pushfd ; ret 10_2_01304A92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_01300822 push ds; iretd 10_2_0130085B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_0130AC24 push esi; retf 10_2_0130E74F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_01303E12 push 0000000Ch; ret 10_2_01303E16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_01300000 push es; retf 10_2_013015D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_01305A7B push esp; ret 10_2_01305B83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_01305AB2 push esp; ret 10_2_01305B83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_0130ACE8 push esi; retf 10_2_0130E74F

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe File created: C:\Users\user\AppData\Local\Temp\SPORENE.exe Jump to dropped file
Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SPORENE.exe, 00000002.00000002.630328200.0000000003F20000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32APPDATA=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXE\SYSWOW64\MSVBVM60.DLL
Source: SPORENE.exe, 00000002.00000002.630328200.0000000003F20000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe Code function: 0_2_00406873 FindFirstFileW,FindClose, 0_2_00406873
Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C49
Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe System information queried: ModuleInformation Jump to behavior
Source: SPORENE.exe, 00000002.00000002.630501912.000000000606A000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000002.626781810.000000000316A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: SPORENE.exe, 00000002.00000002.630501912.000000000606A000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000002.626781810.000000000316A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: CasPol.exe, 0000000A.00000002.626781810.000000000316A000.00000004.00000001.sdmp Binary or memory string: vmicshutdown
Source: SPORENE.exe, 00000002.00000002.630501912.000000000606A000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000002.626781810.000000000316A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: SPORENE.exe, 00000002.00000002.630328200.0000000003F20000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32APPDATA=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exe\syswow64\msvbvm60.dll
Source: SPORENE.exe, 00000002.00000002.630501912.000000000606A000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000002.626781810.000000000316A000.00000004.00000001.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: SPORENE.exe, 00000002.00000002.630501912.000000000606A000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000002.626781810.000000000316A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: CasPol.exe, 0000000A.00000002.626781810.000000000316A000.00000004.00000001.sdmp Binary or memory string: vmicvss
Source: SPORENE.exe, 00000002.00000002.630328200.0000000003F20000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: SPORENE.exe, 00000002.00000002.630501912.000000000606A000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000002.626781810.000000000316A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: SPORENE.exe, 00000002.00000002.630501912.000000000606A000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000002.626781810.000000000316A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: SPORENE.exe, 00000002.00000002.630501912.000000000606A000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000002.626781810.000000000316A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: CasPol.exe, 0000000A.00000002.626781810.000000000316A000.00000004.00000001.sdmp Binary or memory string: vmicheartbeat

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_0130FD16 mov eax, dword ptr fs:[00000030h] 10_2_0130FD16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_013121A1 mov eax, dword ptr fs:[00000030h] 10_2_013121A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_01310ABF mov eax, dword ptr fs:[00000030h] 10_2_01310ABF
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_01305BFC LdrInitializeThunk, 10_2_01305BFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_01313A78 RtlAddVectoredExceptionHandler, 10_2_01313A78

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 1300000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\SPORENE.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\AppData\Local\Temp\SPORENE.exe Jump to behavior
Source: SPORENE.exe, 00000002.00000002.628178990.0000000002080000.00000002.00020000.sdmp, CasPol.exe, 0000000A.00000002.626654609.0000000001D10000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: SPORENE.exe, 00000002.00000002.628178990.0000000002080000.00000002.00020000.sdmp, CasPol.exe, 0000000A.00000002.626654609.0000000001D10000.00000002.00020000.sdmp Binary or memory string: Progman
Source: SPORENE.exe, 00000002.00000002.628178990.0000000002080000.00000002.00020000.sdmp, CasPol.exe, 0000000A.00000002.626654609.0000000001D10000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: SPORENE.exe, 00000002.00000002.628178990.0000000002080000.00000002.00020000.sdmp, CasPol.exe, 0000000A.00000002.626654609.0000000001D10000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: C:\Users\user\Desktop\Purchase Order PO20211027STK.exe Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040352D

Stealing of Sensitive Information:

barindex
GuLoader behavior detected
Source: Initial file Signature Results: GuLoader behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 531732 Sample: Purchase Order PO20211027STK.exe Startdate: 01/12/2021 Architecture: WINDOWS Score: 100 22 onedrive.live.com 2->22 24 ervtqq.bl.files.1drv.com 2->24 26 bl-files.fe.1drv.com 2->26 28 Found malware configuration 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 GuLoader behavior detected 2->32 34 6 other signatures 2->34 9 Purchase Order PO20211027STK.exe 9 2->9         started        signatures3 process4 file5 20 C:\Users\user\AppData\Local\...\SPORENE.exe, PE32 9->20 dropped 12 SPORENE.exe 9->12         started        process6 signatures7 36 Writes to foreign memory regions 12->36 38 Tries to detect Any.run 12->38 40 Hides threads from debuggers 12->40 15 CasPol.exe 1 12->15         started        process8 signatures9 42 Tries to detect Any.run 15->42 44 Hides threads from debuggers 15->44 18 conhost.exe 15->18         started        process10
No contacted IP infos

Contacted Domains

Name IP Active
onedrive.live.com unknown unknown
ervtqq.bl.files.1drv.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://onedrive.live.com/download?cid=5A15FDA1AE98540B&r false
    		high