Source: 00000000.00000002.776543638.0000000002220000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=down"} |
Source: 20211129.exe |
Virustotal: Detection: 36% |
Perma Link |
Source: 20211129.exe |
Metadefender: Detection: 21% |
Perma Link |
Source: 20211129.exe |
ReversingLabs: Detection: 51% |
Source: 20211129.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://drive.google.com/uc?export=down |
Source: 20211129.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: 20211129.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
Source: 20211129.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
Source: 20211129.exe |
String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
Source: 20211129.exe |
String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: 20211129.exe |
String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
Source: 20211129.exe |
String found in binary or memory: http://ocsp.digicert.com0C |
Source: 20211129.exe |
String found in binary or memory: http://ocsp.digicert.com0O |
Source: 20211129.exe |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: 20211129.exe |
String found in binary or memory: https://www.digicert.com/CPS0 |
Source: initial sample |
Icon embedded in PE file: bad icon match: 20047c7c70f0e004 |
Source: 20211129.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: 20211129.exe, 00000000.00000002.776768786.0000000002A40000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenametofrontskrig.exeFE2XK vs 20211129.exe |
Source: 20211129.exe, 00000000.00000000.245587033.0000000000425000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenametofrontskrig.exe vs 20211129.exe |
Source: 20211129.exe |
Binary or memory string: OriginalFilenametofrontskrig.exe vs 20211129.exe |
Source: 20211129.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\20211129.exe |
Code function: 0_2_02236BAF |
0_2_02236BAF |
Source: C:\Users\user\Desktop\20211129.exe |
Code function: 0_2_0222D9D3 |
0_2_0222D9D3 |
Source: C:\Users\user\Desktop\20211129.exe |
Code function: 0_2_0222BC7B |
0_2_0222BC7B |
Source: C:\Users\user\Desktop\20211129.exe |
Code function: 0_2_0222E24E |
0_2_0222E24E |
Source: C:\Users\user\Desktop\20211129.exe |
Code function: 0_2_0222525E |
0_2_0222525E |
Source: C:\Users\user\Desktop\20211129.exe |
Code function: 0_2_022336B9 |
0_2_022336B9 |
Source: C:\Users\user\Desktop\20211129.exe |
Code function: 0_2_02234E85 |
0_2_02234E85 |
Source: C:\Users\user\Desktop\20211129.exe |
Code function: 0_2_022332ED |
0_2_022332ED |
Source: C:\Users\user\Desktop\20211129.exe |
Code function: 0_2_022252EC |
0_2_022252EC |
Source: C:\Users\user\Desktop\20211129.exe |
Code function: 0_2_0222D568 |
0_2_0222D568 |
Source: C:\Users\user\Desktop\20211129.exe |
Code function: 0_2_0222C18D |
0_2_0222C18D |
Source: C:\Users\user\Desktop\20211129.exe |
Code function: 0_2_022205CC |
0_2_022205CC |
Source: C:\Users\user\Desktop\20211129.exe |
Code function: 0_2_022343CC |
0_2_022343CC |
Source: 20211129.exe |
Static PE information: invalid certificate |
Source: C:\Users\user\Desktop\20211129.exe |
Code function: 0_2_0222D9D3 NtAllocateVirtualMemory, |
0_2_0222D9D3 |
Source: C:\Users\user\Desktop\20211129.exe |
Process Stats: CPU usage > 98% |
Source: 20211129.exe |
Virustotal: Detection: 36% |
Source: 20211129.exe |
Metadefender: Detection: 21% |
Source: 20211129.exe |
ReversingLabs: Detection: 51% |
Source: 20211129.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\20211129.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\20211129.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\20211129.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\20211129.exe |
File created: C:\Users\user\AppData\Roaming\XvFu5flZcgudIlwvVLtjOx372 |
Jump to behavior |
Source: classification engine |
Classification label: mal80.rans.troj.evad.winEXE@1/0@0/0 |
Source: Yara match |
File source: 00000000.00000002.776543638.0000000002220000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\20211129.exe |
Code function: 0_2_0040C11C pushfd ; iretd |
0_2_0040C120 |
Source: C:\Users\user\Desktop\20211129.exe |
Code function: 0_2_02222623 push FFFFFF81h; ret |
0_2_0222262F |
Source: C:\Users\user\Desktop\20211129.exe |
Code function: 0_2_02225E26 push esp; iretd |
0_2_02225E28 |
Source: C:\Users\user\Desktop\20211129.exe |
Code function: 0_2_02222231 push ebx; retf |
0_2_022222A6 |
Source: C:\Users\user\Desktop\20211129.exe |
Code function: 0_2_02220039 pushfd ; retf |
0_2_02220050 |
Source: C:\Users\user\Desktop\20211129.exe |
Code function: 0_2_02220C65 pushfd ; iretd |
0_2_02220C68 |
Source: C:\Users\user\Desktop\20211129.exe |
Code function: 0_2_02220052 pushfd ; retf |
0_2_02220050 |
Source: C:\Users\user\Desktop\20211129.exe |
Code function: 0_2_02220052 pushfd ; retf |
0_2_022200B3 |
Source: C:\Users\user\Desktop\20211129.exe |
Code function: 0_2_0222D2C5 push ecx; retf |
0_2_0222D7DD |
Source: C:\Users\user\Desktop\20211129.exe |
Code function: 0_2_02224BBD push ss; ret |
0_2_02224BBE |
Source: C:\Users\user\Desktop\20211129.exe |
Code function: 0_2_02221B91 pushfd ; ret |
0_2_02221B95 |
Source: C:\Users\user\Desktop\20211129.exe |
Code function: 0_2_02222DCC push edi; iretd |
0_2_02222DCD |
Source: C:\Users\user\Desktop\20211129.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\20211129.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\20211129.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\20211129.exe |
RDTSC instruction interceptor: First address: 000000000222CB10 second address: 000000000222CB10 instructions: 0x00000000 rdtsc 0x00000002 mov eax, C59FC429h 0x00000007 sub eax, C4E79C3Eh 0x0000000c add eax, 320FDAB5h 0x00000011 sub eax, 32C8029Fh 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F487CD844D4h 0x0000001e lfence 0x00000021 mov edx, D1AF9544h 0x00000026 xor edx, 9043EC23h 0x0000002c sub edx, FB2A8C3Dh 0x00000032 xor edx, 393FED3Eh 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 add edi, edx 0x00000044 dec ecx 0x00000045 mov dword ptr [ebp+0000020Ch], ecx 0x0000004b mov ecx, A02E6A25h 0x00000050 add ecx, 63038538h 0x00000056 xor ecx, 9592C6BAh 0x0000005c xor ecx, 96A329E7h 0x00000062 cmp dword ptr [ebp+0000020Ch], ecx 0x00000068 mov ecx, dword ptr [ebp+0000020Ch] 0x0000006e jne 00007F487CD843BFh 0x00000070 mov dword ptr [ebp+00000231h], eax 0x00000076 mov eax, ecx 0x00000078 push eax 0x00000079 mov eax, dword ptr [ebp+00000231h] 0x0000007f call 00007F487CD845FBh 0x00000084 call 00007F487CD844F5h 0x00000089 lfence 0x0000008c mov edx, D1AF9544h 0x00000091 xor edx, 9043EC23h 0x00000097 sub edx, FB2A8C3Dh 0x0000009d xor edx, 393FED3Eh 0x000000a3 mov edx, dword ptr [edx] 0x000000a5 lfence 0x000000a8 ret 0x000000a9 mov esi, edx 0x000000ab pushad 0x000000ac rdtsc |
Source: C:\Users\user\Desktop\20211129.exe |
Code function: 0_2_0222CB08 rdtsc |
0_2_0222CB08 |
Source: C:\Users\user\Desktop\20211129.exe |
Code function: 0_2_02234E85 mov eax, dword ptr fs:[00000030h] |
0_2_02234E85 |
Source: C:\Users\user\Desktop\20211129.exe |
Code function: 0_2_022332ED mov eax, dword ptr fs:[00000030h] |
0_2_022332ED |
Source: C:\Users\user\Desktop\20211129.exe |
Code function: 0_2_0222C77D mov eax, dword ptr fs:[00000030h] |
0_2_0222C77D |
Source: C:\Users\user\Desktop\20211129.exe |
Code function: 0_2_02232985 mov eax, dword ptr fs:[00000030h] |
0_2_02232985 |
Source: C:\Users\user\Desktop\20211129.exe |
Code function: 0_2_0222CB08 rdtsc |
0_2_0222CB08 |
Source: C:\Users\user\Desktop\20211129.exe |
Code function: 0_2_02236BAF RtlAddVectoredExceptionHandler, |
0_2_02236BAF |
Source: 20211129.exe, 00000000.00000002.775916702.0000000000D80000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: 20211129.exe, 00000000.00000002.775916702.0000000000D80000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: 20211129.exe, 00000000.00000002.775916702.0000000000D80000.00000002.00020000.sdmp |
Binary or memory string: SProgram Managerl |
Source: 20211129.exe, 00000000.00000002.775916702.0000000000D80000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd, |
Source: 20211129.exe, 00000000.00000002.775916702.0000000000D80000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |