Windows Analysis Report Purchase Order PO20211027STK.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: GuLoader |
---|
{"Payload URL": "https://onedrive.live.com/download?cid=5A15FDA1AE98540B&r"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | ReversingLabs: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | 0_2_00406873 | |
Source: | Code function: | 0_2_00405C49 | |
Source: | Code function: | 0_2_0040290B |
Networking: |
---|
C2 URLs / IPs found in malware configuration | Show sources |
Source: | URLs: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | Code function: | 0_2_004056DE |
System Summary: |
---|
Initial sample is a PE file and has a suspicious name | Show sources |
Source: | Static PE information: |
Executable has a suspicious name (potential lure to open the executable) | Show sources |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Code function: | 0_2_0040352D |
Source: | Code function: | 0_2_0040755C | |
Source: | Code function: | 0_2_00406D85 | |
Source: | Code function: | 2_2_00401724 | |
Source: | Code function: | 10_2_0130C57E | |
Source: | Code function: | 10_2_01313A78 | |
Source: | Code function: | 10_2_0130CD7B | |
Source: | Code function: | 10_2_01308F7F | |
Source: | Code function: | 10_2_013121A1 | |
Source: | Code function: | 10_2_01311990 | |
Source: | Code function: | 10_2_0130B198 | |
Source: | Code function: | 10_2_01313632 | |
Source: | Code function: | 10_2_0130880F |
Source: | Code function: | 10_2_0130C57E | |
Source: | Code function: | 10_2_01313445 |
Source: | Process Stats: | ||
Source: | Process Stats: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Section loaded: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 0_2_0040352D |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: | 0_2_004021AA |
Source: | File read: | Jump to behavior |
Source: | Code function: | 0_2_0040498A |
Source: | Mutant created: |
Source: | Window detected: |
Source: | Static PE information: |
Source: | Binary string: |
Data Obfuscation: |
---|
Yara detected GuLoader | Show sources |
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 2_2_03F03E03 | |
Source: | Code function: | 2_2_03F018AB | |
Source: | Code function: | 2_2_03F00E2F | |
Source: | Code function: | 10_2_013015D4 | |
Source: | Code function: | 10_2_013015D4 | |
Source: | Code function: | 10_2_01305B83 | |
Source: | Code function: | 10_2_013015D4 | |
Source: | Code function: | 10_2_0130085B | |
Source: | Code function: | 10_2_0130085B | |
Source: | Code function: | 10_2_0130696F | |
Source: | Code function: | 10_2_0130494E | |
Source: | Code function: | 10_2_013015D4 | |
Source: | Code function: | 10_2_013015D4 | |
Source: | Code function: | 10_2_01303581 | |
Source: | Code function: | 10_2_013015D4 | |
Source: | Code function: | 10_2_01304A92 | |
Source: | Code function: | 10_2_013075F1 | |
Source: | Code function: | 10_2_0130085B | |
Source: | Code function: | 10_2_013033CA | |
Source: | Code function: | 10_2_01304A92 | |
Source: | Code function: | 10_2_0130085B | |
Source: | Code function: | 10_2_0130E74F | |
Source: | Code function: | 10_2_01303E16 | |
Source: | Code function: | 10_2_013015D4 | |
Source: | Code function: | 10_2_01305B83 | |
Source: | Code function: | 10_2_01305B83 | |
Source: | Code function: | 10_2_0130E74F |
Source: | File created: | Jump to dropped file |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion: |
---|
Tries to detect Any.run | Show sources |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Last function: |
Source: | Code function: | 0_2_00406873 | |
Source: | Code function: | 0_2_00405C49 | |
Source: | Code function: | 0_2_0040290B |
Source: | System information queried: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Anti Debugging: |
---|
Hides threads from debuggers | Show sources |
Source: | Thread information set: | Jump to behavior | ||
Source: | Thread information set: | Jump to behavior |
Source: | Code function: | 10_2_0130FD16 | |
Source: | Code function: | 10_2_013121A1 | |
Source: | Code function: | 10_2_01310ABF |
Source: | Code function: | 10_2_01305BFC |
Source: | Code function: | 10_2_01313A78 |
HIPS / PFW / Operating System Protection Evasion: |
---|
Writes to foreign memory regions | Show sources |
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 0_2_0040352D |
Stealing of Sensitive Information: |
---|
GuLoader behavior detected | Show sources |
Source: | Signature Results: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Access Token Manipulation1 | Virtualization/Sandbox Evasion2 | OS Credential Dumping | Security Software Discovery31 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | System Shutdown/Reboot1 |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Process Injection112 | Access Token Manipulation1 | LSASS Memory | Virtualization/Sandbox Evasion2 | Remote Desktop Protocol | Clipboard Data1 | Exfiltration Over Bluetooth | Non-Application Layer Protocol1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Process Injection112 | Security Account Manager | Process Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Application Layer Protocol11 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Obfuscated Files or Information1 | NTDS | File and Directory Discovery2 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | System Information Discovery4 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
11% | ReversingLabs | ByteCode-MSIL.Trojan.AgentTesla | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
9% | ReversingLabs | ByteCode-MSIL.Trojan.AgentTesla |
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
onedrive.live.com | unknown | unknown | false | high | |
ervtqq.bl.files.1drv.com | unknown | unknown | false | high |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high |
Contacted IPs |
---|
No contacted IP infos |
---|
General Information |
---|
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 531732 |
Start date: | 01.12.2021 |
Start time: | 09:57:30 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 56s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | Purchase Order PO20211027STK.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 18 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@6/1@2/0 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
Process: | C:\Users\user\Desktop\Purchase Order PO20211027STK.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 21321008 |
Entropy (8bit): | 0.09325738133607682 |
Encrypted: | false |
SSDEEP: | 3072:mIXeoCC869BrI49jK9oUhJSSjfv8XEHPO:madlYoUZf2EvO |
MD5: | 582A642DF36CDAC38982E4842F370B44 |
SHA1: | 3DD6D0CECD4CD9414D7DF148F7C46548C5709D62 |
SHA-256: | 361DEDDF3E436753730DBB20842FBD6D1EF2EC27C56CD9DA99E87751C3BBE890 |
SHA-512: | E9C94417ACEF2B33DED79182C8B397E2693A74D290E78E286AE7576C998BF14F39F370C06BC40C9DFFDF2DE2E7F680AA0F33D74DB508E15EEAF1D31BE8D06BB6 |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.060974988277113 |
TrID: |
|
File name: | Purchase Order PO20211027STK.exe |
File size: | 131031 |
MD5: | 2f2102ec5776497950e89e419515efee |
SHA1: | 1d3dd4ed88af22c3de29c918b37db6f0b73c94c4 |
SHA256: | 7768da29cc4ef93cb4790f664e139d1d8c2972e22fe8840b6b86c50e15dba347 |
SHA512: | 963b79cb63703ea6a6e8d70bbe76fadc660e10b801283a3812a76f773ee36210171437794dad0b4ee11e8a2f34645c88c7463526be03274ffdf48ec81823032a |
SSDEEP: | 3072:gbG7N2kDTHUpou4ubV4QviYqsYLQyI9xxsFIRO7c3fkA:gbE/HUjV4QviYJMQXyFIR2HA |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j......... |
File Icon |
---|
Icon Hash: | b2a88c96b2ca6a72 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x40352d |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x614F9B5A [Sat Sep 25 21:57:46 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 56a78d55f3f7af51443e58e0ce2fb5f6 |
Entrypoint Preview |
---|
Instruction |
---|
push ebp |
mov ebp, esp |
sub esp, 000003F4h |
push ebx |
push esi |
push edi |
push 00000020h |
pop edi |
xor ebx, ebx |
push 00008001h |
mov dword ptr [ebp-14h], ebx |
mov dword ptr [ebp-04h], 0040A2E0h |
mov dword ptr [ebp-10h], ebx |
call dword ptr [004080CCh] |
mov esi, dword ptr [004080D0h] |
lea eax, dword ptr [ebp-00000140h] |
push eax |
mov dword ptr [ebp-0000012Ch], ebx |
mov dword ptr [ebp-2Ch], ebx |
mov dword ptr [ebp-28h], ebx |
mov dword ptr [ebp-00000140h], 0000011Ch |
call esi |
test eax, eax |
jne 00007FEEC0975E6Ah |
lea eax, dword ptr [ebp-00000140h] |
mov dword ptr [ebp-00000140h], 00000114h |
push eax |
call esi |
mov ax, word ptr [ebp-0000012Ch] |
mov ecx, dword ptr [ebp-00000112h] |
sub ax, 00000053h |
add ecx, FFFFFFD0h |
neg ax |
sbb eax, eax |
mov byte ptr [ebp-26h], 00000004h |
not eax |
and eax, ecx |
mov word ptr [ebp-2Ch], ax |
cmp dword ptr [ebp-0000013Ch], 0Ah |
jnc 00007FEEC0975E3Ah |
and word ptr [ebp-00000132h], 0000h |
mov eax, dword ptr [ebp-00000134h] |
movzx ecx, byte ptr [ebp-00000138h] |
mov dword ptr [00434FB8h], eax |
xor eax, eax |
mov ah, byte ptr [ebp-0000013Ch] |
movzx eax, ax |
or eax, ecx |
xor ecx, ecx |
mov ch, byte ptr [ebp-2Ch] |
movzx ecx, cx |
shl eax, 10h |
or eax, ecx |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x8610 | 0xa0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x4c000 | 0x11e0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x2b0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x6897 | 0x6a00 | False | 0.666126179245 | data | 6.45839821493 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x8000 | 0x14a6 | 0x1600 | False | 0.439275568182 | data | 5.02410928126 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xa000 | 0x2b018 | 0x600 | False | 0.521484375 | data | 4.15458210409 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.ndata | 0x36000 | 0x16000 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x4c000 | 0x11e0 | 0x1200 | False | 0.368489583333 | data | 4.48173978815 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_BITMAP | 0x4c268 | 0x368 | data | English | United States |
RT_ICON | 0x4c5d0 | 0x2e8 | data | English | United States |
RT_DIALOG | 0x4c8b8 | 0x144 | data | English | United States |
RT_DIALOG | 0x4ca00 | 0x13c | data | English | United States |
RT_DIALOG | 0x4cb40 | 0x100 | data | English | United States |
RT_DIALOG | 0x4cc40 | 0x11c | data | English | United States |
RT_DIALOG | 0x4cd60 | 0xc4 | data | English | United States |
RT_DIALOG | 0x4ce28 | 0x60 | data | English | United States |
RT_GROUP_ICON | 0x4ce88 | 0x14 | data | English | United States |
RT_MANIFEST | 0x4cea0 | 0x33e | XML 1.0 document, ASCII text, with very long lines, with no line terminators | English | United States |
Imports |
---|
DLL | Import |
---|---|
ADVAPI32.dll | RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW |
SHELL32.dll | SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW |
ole32.dll | OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree |
COMCTL32.dll | ImageList_Create, ImageList_Destroy, ImageList_AddMasked |
USER32.dll | GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu |
GDI32.dll | SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject |
KERNEL32.dll | GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
Network Port Distribution |
---|
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 1, 2021 10:00:47.501432896 CET | 50339 | 53 | 192.168.2.6 | 8.8.8.8 |
Dec 1, 2021 10:00:48.096002102 CET | 63307 | 53 | 192.168.2.6 | 8.8.8.8 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Dec 1, 2021 10:00:47.501432896 CET | 192.168.2.6 | 8.8.8.8 | 0x9999 | Standard query (0) | A (IP address) | IN (0x0001) | |
Dec 1, 2021 10:00:48.096002102 CET | 192.168.2.6 | 8.8.8.8 | 0xbde | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Dec 1, 2021 10:00:47.535913944 CET | 8.8.8.8 | 192.168.2.6 | 0x9999 | No error (0) | odc-web-geo.onedrive.akadns.net | CNAME (Canonical name) | IN (0x0001) | ||
Dec 1, 2021 10:00:48.138751984 CET | 8.8.8.8 | 192.168.2.6 | 0xbde | No error (0) | bl-files.fe.1drv.com | CNAME (Canonical name) | IN (0x0001) | ||
Dec 1, 2021 10:00:48.138751984 CET | 8.8.8.8 | 192.168.2.6 | 0xbde | No error (0) | odc-bl-files-geo.onedrive.akadns.net | CNAME (Canonical name) | IN (0x0001) |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 09:58:37 |
Start date: | 01/12/2021 |
Path: | C:\Users\user\Desktop\Purchase Order PO20211027STK.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 131031 bytes |
MD5 hash: | 2F2102EC5776497950E89E419515EFEE |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 09:58:40 |
Start date: | 01/12/2021 |
Path: | C:\Users\user\AppData\Local\Temp\SPORENE.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 21321008 bytes |
MD5 hash: | 582A642DF36CDAC38982E4842F370B44 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | Visual Basic |
Antivirus matches: |
|
Reputation: | low |
General |
---|
Start time: | 09:59:47 |
Start date: | 01/12/2021 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xea0000 |
File size: | 107624 bytes |
MD5 hash: | F866FC1C2E928779C7119353C3091F0C |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | moderate |
General |
---|
Start time: | 09:59:49 |
Start date: | 01/12/2021 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff61de10000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|
Executed Functions |
---|
Function 0040352D, Relevance: 88.0, APIs: 34, Strings: 16, Instructions: 450stringfilecomCOMMON
C-Code - Quality: 78% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406873, Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403BEC, Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 215stringregistryCOMMON
C-Code - Quality: 96% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040307D, Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181memoryCOMMON
C-Code - Quality: 78% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 95% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040176F, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
C-Code - Quality: 75% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040689A, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
C-Code - Quality: 100% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401C43, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
C-Code - Quality: 59% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 86% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
C-Code - Quality: 69% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401EDE, Relevance: 3.0, APIs: 2, Instructions: 25COMMON
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040602D, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
C-Code - Quality: 68% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406008, Relevance: 3.0, APIs: 2, Instructions: 13COMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405AEB, Relevance: 3.0, APIs: 2, Instructions: 9COMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004060DF, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004060B0, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004034E5, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401FA4, Relevance: 1.3, APIs: 1, Instructions: 37COMMON
C-Code - Quality: 78% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403B12, Relevance: 1.3, APIs: 1, Instructions: 11COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
Function 004056DE, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
C-Code - Quality: 95% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040498A, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
C-Code - Quality: 78% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405C49, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
C-Code - Quality: 98% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004021AA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
C-Code - Quality: 67% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040290B, Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
C-Code - Quality: 39% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406D85, Relevance: .3, Instructions: 334COMMONCrypto
C-Code - Quality: 79% |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040755C, Relevance: .3, Instructions: 300COMMONCrypto
C-Code - Quality: 100% |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404F06, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
C-Code - Quality: 96% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 84% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404658, Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
C-Code - Quality: 91% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 90% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406183, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040657A, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196stringCOMMON
C-Code - Quality: 72% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404500, Relevance: 12.1, APIs: 8, Instructions: 68COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004026EC, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
C-Code - Quality: 87% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 91% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404E54, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
C-Code - Quality: 100% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402F93, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
C-Code - Quality: 100% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 86% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 48% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401D81, Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
C-Code - Quality: 77% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401E4E, Relevance: 7.5, APIs: 5, Instructions: 43COMMON
C-Code - Quality: 73% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404D46, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
C-Code - Quality: 77% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405E0C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
C-Code - Quality: 58% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403019, Relevance: 6.0, APIs: 4, Instructions: 33COMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405F14, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
C-Code - Quality: 53% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405513, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
C-Code - Quality: 89% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040640B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
C-Code - Quality: 90% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405E58, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
C-Code - Quality: 77% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405F92, Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Executed Functions |
---|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
Executed Functions |
---|
Function 0130C57E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 146memorynativeCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01313A78, Relevance: 1.7, APIs: 1, Instructions: 240COMMON
APIs |
|
Memory Dump Source |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01313445, Relevance: 1.6, APIs: 1, Instructions: 58nativeCOMMON
APIs |
|
Memory Dump Source |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0130FE24, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65libraryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0130136D, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
APIs |
|
Memory Dump Source |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 013013B0, Relevance: 1.6, APIs: 1, Instructions: 100COMMON
APIs |
|
Memory Dump Source |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
Function 013121A1, Relevance: 4.4, Strings: 3, Instructions: 692COMMON
Strings |
Memory Dump Source |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01310ABF, Relevance: .1, Instructions: 53COMMON
Memory Dump Source |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0130FD16, Relevance: .0, Instructions: 4COMMON
Memory Dump Source |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |