Source: 00000000.00000002.824783872.00000000023F0000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?expor"} |
Source: SWIFT_ACK-89813.02.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://drive.google.com/uc?expor |
Source: SWIFT_ACK-89813.02.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
Code function: 0_2_023F83D2 NtAllocateVirtualMemory, |
0_2_023F83D2 |
Source: SWIFT_ACK-89813.02.exe, 00000000.00000000.293724818.000000000042B000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameerst.exe vs SWIFT_ACK-89813.02.exe |
Source: SWIFT_ACK-89813.02.exe, 00000000.00000002.824752496.00000000022E0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameerst.exeFE2X vs SWIFT_ACK-89813.02.exe |
Source: SWIFT_ACK-89813.02.exe |
Binary or memory string: OriginalFilenameerst.exe vs SWIFT_ACK-89813.02.exe |
Source: SWIFT_ACK-89813.02.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
Code function: 0_2_023F83D2 |
0_2_023F83D2 |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
Code function: 0_2_023FD477 |
0_2_023FD477 |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
Code function: 0_2_023F023A |
0_2_023F023A |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
Code function: 0_2_023F7AB2 |
0_2_023F7AB2 |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
Code function: 0_2_023F730C |
0_2_023F730C |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
Code function: 0_2_023F575A |
0_2_023F575A |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
Code function: 0_2_023FBF90 |
0_2_023FBF90 |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
Code function: 0_2_023FBB83 |
0_2_023FBB83 |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
Code function: 0_2_023F5D96 |
0_2_023F5D96 |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
Code function: 0_2_023F5989 |
0_2_023F5989 |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
File created: C:\Users\user\AppData\Local\Temp\~DFA1C4850DA9C6EF9A.TMP |
Jump to behavior |
Source: SWIFT_ACK-89813.02.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: classification engine |
Classification label: mal60.troj.winEXE@1/1@0/0 |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32 |
Jump to behavior |
Source: Yara match |
File source: 00000000.00000002.824783872.00000000023F0000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
Code function: 0_2_00406901 push ds; ret |
0_2_00406902 |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
Code function: 0_2_00409518 push ebx; iretd |
0_2_00409519 |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
Code function: 0_2_00407D81 push edx; ret |
0_2_00407D8D |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
Code function: 0_2_00407999 push ebx; iretd |
0_2_0040799D |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
Code function: 0_2_00406DAE push ebp; ret |
0_2_00406DB5 |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
Code function: 0_2_004055BC push ds; ret |
0_2_004055D6 |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
Code function: 0_2_0040A644 push cs; iretd |
0_2_0040A650 |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
Code function: 0_2_00405EC9 push cs; ret |
0_2_00405F04 |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
Code function: 0_2_0040828C push eax; iretd |
0_2_004082D1 |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
Code function: 0_2_00406FE2 push ebx; iretd |
0_2_00407075 |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
Code function: 0_2_023F1E08 push ss; retf |
0_2_023F1E0E |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
Code function: 0_2_023F3394 pushad ; retn 0004h |
0_2_023F33CF |
Source: initial sample |
Static PE information: section name: .text entropy: 7.1391806469 |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
Code function: 0_2_023F7F96 rdtsc |
0_2_023F7F96 |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
Code function: 0_2_023FB23E mov eax, dword ptr fs:[00000030h] |
0_2_023FB23E |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
Code function: 0_2_023F797D mov eax, dword ptr fs:[00000030h] |
0_2_023F797D |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
Code function: 0_2_023F7F96 rdtsc |
0_2_023F7F96 |
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe |
Code function: 0_2_023FD477 RtlAddVectoredExceptionHandler, |
0_2_023FD477 |
Source: SWIFT_ACK-89813.02.exe, 00000000.00000002.824477565.0000000000D90000.00000002.00020000.sdmp |
Binary or memory string: Program Manager |
Source: SWIFT_ACK-89813.02.exe, 00000000.00000002.824477565.0000000000D90000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: SWIFT_ACK-89813.02.exe, 00000000.00000002.824477565.0000000000D90000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: SWIFT_ACK-89813.02.exe, 00000000.00000002.824477565.0000000000D90000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |