Source: 00000000.00000002.1200998777.0000000002CA0000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://statuswar.info/GHDFR/bin_rOlFDOAa61.bin"} |
Source: draft_inv dec21.exe |
Metadefender: Detection: 20% |
Perma Link |
Source: draft_inv dec21.exe |
ReversingLabs: Detection: 17% |
Source: draft_inv dec21.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://statuswar.info/GHDFR/bin_rOlFDOAa61.bin |
Source: draft_inv dec21.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: draft_inv dec21.exe, 00000000.00000000.674652784.0000000000421000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameprajesselv.exe vs draft_inv dec21.exe |
Source: draft_inv dec21.exe, 00000000.00000002.1200866367.0000000002980000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameprajesselv.exeFE2XCx Frak vs draft_inv dec21.exe |
Source: draft_inv dec21.exe |
Binary or memory string: OriginalFilenameprajesselv.exe vs draft_inv dec21.exe |
Source: draft_inv dec21.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\draft_inv dec21.exe |
Code function: 0_2_02CB02FD |
0_2_02CB02FD |
Source: C:\Users\user\Desktop\draft_inv dec21.exe |
Process Stats: CPU usage > 98% |
Source: draft_inv dec21.exe |
Metadefender: Detection: 20% |
Source: draft_inv dec21.exe |
ReversingLabs: Detection: 17% |
Source: draft_inv dec21.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\draft_inv dec21.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\draft_inv dec21.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\draft_inv dec21.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\draft_inv dec21.exe |
File created: C:\Users\user\AppData\Local\Temp\~DF91089FF9233BF8CB.TMP |
Jump to behavior |
Source: classification engine |
Classification label: mal72.troj.evad.winEXE@1/1@0/0 |
Source: Yara match |
File source: 00000000.00000002.1200998777.0000000002CA0000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\draft_inv dec21.exe |
Code function: 0_2_0040846A push ds; retf |
0_2_00408472 |
Source: C:\Users\user\Desktop\draft_inv dec21.exe |
Code function: 0_2_00407608 push ebx; iretd |
0_2_00407609 |
Source: C:\Users\user\Desktop\draft_inv dec21.exe |
Code function: 0_2_00405C16 push ss; iretd |
0_2_00405BC7 |
Source: C:\Users\user\Desktop\draft_inv dec21.exe |
Code function: 0_2_004094E5 push esi; iretd |
0_2_004094E7 |
Source: C:\Users\user\Desktop\draft_inv dec21.exe |
Code function: 0_2_00405B7D push ss; iretd |
0_2_00405BC7 |
Source: C:\Users\user\Desktop\draft_inv dec21.exe |
Code function: 0_2_00407F07 push ebp; retf |
0_2_00407F0F |
Source: C:\Users\user\Desktop\draft_inv dec21.exe |
Code function: 0_2_00408119 push ebx; iretd |
0_2_0040811B |
Source: C:\Users\user\Desktop\draft_inv dec21.exe |
Code function: 0_2_02CA5A84 push edi; ret |
0_2_02CA5A89 |
Source: C:\Users\user\Desktop\draft_inv dec21.exe |
Code function: 0_2_02CA084B push ss; retf |
0_2_02CA0852 |
Source: C:\Users\user\Desktop\draft_inv dec21.exe |
Code function: 0_2_02CA5A48 push edi; ret |
0_2_02CA5A89 |
Source: C:\Users\user\Desktop\draft_inv dec21.exe |
Code function: 0_2_02CA0BC1 push FFB8EB81h; ret |
0_2_02CA0BC6 |
Source: C:\Users\user\Desktop\draft_inv dec21.exe |
Code function: 0_2_02CA399C push esp; ret |
0_2_02CA39EF |
Source: C:\Users\user\Desktop\draft_inv dec21.exe |
Code function: 0_2_02CA2B3A push cs; iretd |
0_2_02CA2B3F |
Source: C:\Users\user\Desktop\draft_inv dec21.exe |
Registry key monitored for changes: HKEY_CURRENT_USER_Classes |
Jump to behavior |
Source: C:\Users\user\Desktop\draft_inv dec21.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\draft_inv dec21.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\draft_inv dec21.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\draft_inv dec21.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\draft_inv dec21.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\draft_inv dec21.exe |
Code function: 0_2_02CB08D3 rdtsc |
0_2_02CB08D3 |
Source: C:\Users\user\Desktop\draft_inv dec21.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\draft_inv dec21.exe |
Code function: 0_2_02CAF610 mov eax, dword ptr fs:[00000030h] |
0_2_02CAF610 |
Source: C:\Users\user\Desktop\draft_inv dec21.exe |
Code function: 0_2_02CAC50C mov eax, dword ptr fs:[00000030h] |
0_2_02CAC50C |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\draft_inv dec21.exe |
Code function: 0_2_02CB08D3 rdtsc |
0_2_02CB08D3 |
Source: draft_inv dec21.exe, 00000000.00000002.1200704632.0000000000D90000.00000002.00020000.sdmp |
Binary or memory string: Program Manager |
Source: draft_inv dec21.exe, 00000000.00000002.1200704632.0000000000D90000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: draft_inv dec21.exe, 00000000.00000002.1200704632.0000000000D90000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: draft_inv dec21.exe, 00000000.00000002.1200704632.0000000000D90000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |