Windows Analysis Report
171121_PDF.exe

Overview

General Information

Sample Name: 171121_PDF.exe
Analysis ID: 558240
MD5: 60d8b8589ba8045361ae148ee76c7582
SHA1: 328a778d026ad6611bb295bf3a799b6499fc7c7c
SHA256: 8f34d0008f07a4460c9ebc5a8d8a558a85979bd0112962eddf9506dc5b627989
Infos:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
GuLoader behavior detected
Yara detected GuLoader
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Found stalling execution ending in API Sleep call
Tries to detect Any.run
C2 URLs / IPs found in malware configuration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
PE / OLE file has an invalid certificate
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Abnormal high CPU Usage

Classification

AV Detection

barindex
Source: 171121_PDF.exe Avira: detected
Source: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/downloa"}
Source: 171121_PDF.exe Virustotal: Detection: 60% Perma Link
Source: 171121_PDF.exe Metadefender: Detection: 17% Perma Link
Source: 171121_PDF.exe ReversingLabs: Detection: 67%
Source: 171121_PDF.exe Joe Sandbox ML: detected
Source: 0.0.171121_PDF.exe.400000.0.unpack Avira: Label: TR/AD.Nekark.jinay

Compliance

barindex
Source: 171121_PDF.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking

barindex
Source: Malware configuration extractor URLs: https://onedrive.live.com/downloa
Source: unknown DNS traffic detected: queries for: onedrive.live.com

System Summary

barindex
Source: initial sample Static PE information: Filename: 171121_PDF.exe
Source: 171121_PDF.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: 171121_PDF.exe, 00000000.00000002.497741806.0000000000419000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameBrugstyveriscortic.exe vs 171121_PDF.exe
Source: 171121_PDF.exe Binary or memory string: OriginalFilenameBrugstyveriscortic.exe vs 171121_PDF.exe
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_00405A7F 0_2_00405A7F
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0040721E 0_2_0040721E
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_00406A36 0_2_00406A36
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_00405395 0_2_00405395
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_023284F7 0_2_023284F7
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_02321A5F 0_2_02321A5F
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232FB8E 0_2_0232FB8E
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232CFC2 0_2_0232CFC2
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232330D 0_2_0232330D
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232702D 0_2_0232702D
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_02327005 0_2_02327005
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232E629 0_2_0232E629
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232E665 0_2_0232E665
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232D66F 0_2_0232D66F
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232D698 0_2_0232D698
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232E6F9 0_2_0232E6F9
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232E6CD 0_2_0232E6CD
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232E734 0_2_0232E734
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232272C 0_2_0232272C
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232D71E 0_2_0232D71E
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232E76E 0_2_0232E76E
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232D758 0_2_0232D758
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_02329784 0_2_02329784
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_023247F1 0_2_023247F1
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_02327463 0_2_02327463
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232E59E 0_2_0232E59E
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232E5EC 0_2_0232E5EC
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232DA30 0_2_0232DA30
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_02320A5C 0_2_02320A5C
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_02324A41 0_2_02324A41
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_02324A81 0_2_02324A81
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_02324AE4 0_2_02324AE4
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_02324B2E 0_2_02324B2E
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_02324BB4 0_2_02324BB4
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232DBC5 0_2_0232DBC5
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_02324819 0_2_02324819
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232E819 0_2_0232E819
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232D855 0_2_0232D855
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232E844 0_2_0232E844
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232D89D 0_2_0232D89D
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_023248DD 0_2_023248DD
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232D989 0_2_0232D989
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232D9D1 0_2_0232D9D1
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232CFED 0_2_0232CFED
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_02326FD9 0_2_02326FD9
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_02324C32 0_2_02324C32
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_02321DBE 0_2_02321DBE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_03203760 15_2_03203760
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_032047F1 15_2_032047F1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_0320FB8E 15_2_0320FB8E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_03201A5F 15_2_03201A5F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_0320CFC2 15_2_0320CFC2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_0320330D 15_2_0320330D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_0320702D 15_2_0320702D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_03207005 15_2_03207005
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_0320272C 15_2_0320272C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_03203781 15_2_03203781
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_03209784 15_2_03209784
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_0320D698 15_2_0320D698
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_0320E59E 15_2_0320E59E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_03207463 15_2_03207463
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_03204B2E 15_2_03204B2E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_03204BB4 15_2_03204BB4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_03204A41 15_2_03204A41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_03200A5C 15_2_03200A5C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_03204A81 15_2_03204A81
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_03204AE4 15_2_03204AE4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_03204819 15_2_03204819
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_03203849 15_2_03203849
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_032048DD 15_2_032048DD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_0320CFED 15_2_0320CFED
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_03206FD9 15_2_03206FD9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_03201DBE 15_2_03201DBE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_03204C32 15_2_03204C32
Source: 171121_PDF.exe Static PE information: invalid certificate
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232F695 NtProtectVirtualMemory, 0_2_0232F695
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232FB8E NtResumeThread, 0_2_0232FB8E
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232CFC2 NtAllocateVirtualMemory, 0_2_0232CFC2
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232D210 NtAllocateVirtualMemory, 0_2_0232D210
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232D295 NtAllocateVirtualMemory, 0_2_0232D295
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232D2E0 NtAllocateVirtualMemory, 0_2_0232D2E0
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232D311 NtAllocateVirtualMemory, 0_2_0232D311
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232D046 NtAllocateVirtualMemory, 0_2_0232D046
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232D0E6 NtAllocateVirtualMemory, 0_2_0232D0E6
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232D0D1 NtAllocateVirtualMemory, 0_2_0232D0D1
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232D13C NtAllocateVirtualMemory, 0_2_0232D13C
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_02328A05 NtWriteVirtualMemory, 0_2_02328A05
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232CFED NtAllocateVirtualMemory, 0_2_0232CFED
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_0320F695 NtProtectVirtualMemory, 15_2_0320F695
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_0320CFC2 NtAllocateVirtualMemory, 15_2_0320CFC2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_0320D311 NtAllocateVirtualMemory, 15_2_0320D311
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_0320D210 NtAllocateVirtualMemory, 15_2_0320D210
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_0320D295 NtAllocateVirtualMemory, 15_2_0320D295
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_0320D2E0 NtAllocateVirtualMemory, 15_2_0320D2E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_0320D13C NtAllocateVirtualMemory, 15_2_0320D13C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_0320D046 NtAllocateVirtualMemory, 15_2_0320D046
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_0320D0E6 NtAllocateVirtualMemory, 15_2_0320D0E6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_0320D0D1 NtAllocateVirtualMemory, 15_2_0320D0D1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_0320CFED NtAllocateVirtualMemory, 15_2_0320CFED
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process Stats: CPU usage > 98%
Source: 171121_PDF.exe Virustotal: Detection: 60%
Source: 171121_PDF.exe Metadefender: Detection: 17%
Source: 171121_PDF.exe ReversingLabs: Detection: 67%
Source: 171121_PDF.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\171121_PDF.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\171121_PDF.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\171121_PDF.exe "C:\Users\user\Desktop\171121_PDF.exe"
Source: C:\Users\user\Desktop\171121_PDF.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe"
Source: C:\Users\user\Desktop\171121_PDF.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe"
Source: C:\Users\user\Desktop\171121_PDF.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe" Jump to behavior
Source: C:\Users\user\Desktop\171121_PDF.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe" Jump to behavior
Source: C:\Users\user\Desktop\171121_PDF.exe File created: C:\Users\user\AppData\Local\Temp\~DFD14B856B0CE15507.TMP Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@5/2@2/0

Data Obfuscation

barindex
Source: Yara match File source: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.352935282.0000000003200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, type: MEMORY
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_00405241 pushfd ; retf 0_2_00405242
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_00405A57 push 0000004Bh; retf 0_2_00405A7B
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_00408858 push 00000018h; ret 0_2_0040885A
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0040A864 push esi; iretd 0_2_0040A865
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_00405A7F push ebx; ret 0_2_00405B0D
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_00406A27 push es; iretd 0_2_00406A35
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_00405AD4 push ebx; ret 0_2_00405B0D
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_00405CFE push 18FEA023h; retf 0_2_00405D16
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_004086A1 push edx; iretd 0_2_004086AE
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232816B push ss; iretd 0_2_023281C4
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_023281D4 push ss; iretd 0_2_023281C4
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232564B push ebp; iretd 0_2_0232564C
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232A7C6 push ecx; ret 0_2_0232A7DA
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_02321834 push es; retf 0_2_0232183A
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_02322EF5 push ebp; iretd 0_2_02322F47
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_02320F16 push edx; ret 0_2_02320F31
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_02322F48 pushad ; iretd 0_2_02322F57
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_0320816B push ss; iretd 15_2_032081C4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_0320A7C6 push ecx; ret 15_2_0320A7DA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_0320564B push ebp; iretd 15_2_0320564C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_03201834 push es; retf 15_2_0320183A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_03200F16 push edx; ret 15_2_03200F31
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_03202F48 pushad ; iretd 15_2_03202F57
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_03202EF5 push ebp; iretd 15_2_03202F47
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Skuffejernenesco2 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Skuffejernenesco2 Jump to behavior
Source: C:\Users\user\Desktop\171121_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Stalling execution: Execution stalls by calling Sleep
Source: C:\Users\user\Desktop\171121_PDF.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\171121_PDF.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: ieinstal.exe, 0000000F.00000002.544039436.0000000003690000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WIN64; X64) APPLEWEBKIT/537.36 (KHTML, LIKE GECKO) CHROME/91.0.4472.124 SAFARI/537.36SHELL32ADVAPI32TEMP=\VAGABO.EXE\CUSCONINESOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSKUFFEJERNENESCO2
Source: 171121_PDF.exe, 00000000.00000002.498410892.0000000003940000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WIN64; X64) APPLEWEBKIT/537.36 (KHTML, LIKE GECKO) CHROME/91.0.4472.124 SAFARI/537.36SHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLLPROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLL
Source: 171121_PDF.exe, 00000000.00000002.498410892.0000000003940000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.544039436.0000000003690000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_023240AA rdtsc 0_2_023240AA
Source: C:\Users\user\Desktop\171121_PDF.exe System information queried: ModuleInformation Jump to behavior
Source: 171121_PDF.exe, 00000000.00000002.498429562.0000000003A0A000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.544366173.0000000004F3A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: 171121_PDF.exe, 00000000.00000002.498429562.0000000003A0A000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.544366173.0000000004F3A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: ieinstal.exe, 0000000F.00000002.544366173.0000000004F3A000.00000004.00000001.sdmp Binary or memory string: vmicshutdown
Source: 171121_PDF.exe, 00000000.00000002.498429562.0000000003A0A000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.544366173.0000000004F3A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: 171121_PDF.exe, 00000000.00000002.498429562.0000000003A0A000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.544366173.0000000004F3A000.00000004.00000001.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: 171121_PDF.exe, 00000000.00000002.498429562.0000000003A0A000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.544366173.0000000004F3A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: ieinstal.exe, 0000000F.00000002.544366173.0000000004F3A000.00000004.00000001.sdmp Binary or memory string: vmicvss
Source: 171121_PDF.exe, 00000000.00000002.498410892.0000000003940000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.544039436.0000000003690000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: 171121_PDF.exe, 00000000.00000002.498429562.0000000003A0A000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.544366173.0000000004F3A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: ieinstal.exe, 0000000F.00000002.544039436.0000000003690000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36shell32advapi32TEMP=\vagabo.exe\CUSCONINESoftware\Microsoft\Windows\CurrentVersion\RunSkuffejernenesco2
Source: 171121_PDF.exe, 00000000.00000002.498429562.0000000003A0A000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.544366173.0000000004F3A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: 171121_PDF.exe, 00000000.00000002.498429562.0000000003A0A000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.544366173.0000000004F3A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: 171121_PDF.exe, 00000000.00000002.498410892.0000000003940000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36shell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dllProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dll
Source: ieinstal.exe, 0000000F.00000002.544366173.0000000004F3A000.00000004.00000001.sdmp Binary or memory string: vmicheartbeat

Anti Debugging

barindex
Source: C:\Users\user\Desktop\171121_PDF.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_023296BF mov eax, dword ptr fs:[00000030h] 0_2_023296BF
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232E59E mov eax, dword ptr fs:[00000030h] 0_2_0232E59E
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232C982 mov eax, dword ptr fs:[00000030h] 0_2_0232C982
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232BEA2 mov eax, dword ptr fs:[00000030h] 0_2_0232BEA2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_032096BF mov eax, dword ptr fs:[00000030h] 15_2_032096BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_0320E59E mov eax, dword ptr fs:[00000030h] 15_2_0320E59E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_0320C982 mov eax, dword ptr fs:[00000030h] 15_2_0320C982
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 15_2_0320BEA2 mov eax, dword ptr fs:[00000030h] 15_2_0320BEA2
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_023240AA rdtsc 0_2_023240AA
Source: C:\Users\user\Desktop\171121_PDF.exe Code function: 0_2_0232AB06 LdrInitializeThunk, 0_2_0232AB06

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\Desktop\171121_PDF.exe Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 3200000 Jump to behavior
Source: C:\Users\user\Desktop\171121_PDF.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe" Jump to behavior
Source: C:\Users\user\Desktop\171121_PDF.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe" Jump to behavior
Source: ieinstal.exe, 0000000F.00000002.544154942.0000000003AE0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: ieinstal.exe, 0000000F.00000002.544154942.0000000003AE0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: ieinstal.exe, 0000000F.00000002.544154942.0000000003AE0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: ieinstal.exe, 0000000F.00000002.544154942.0000000003AE0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Stealing of Sensitive Information

barindex
Source: Initial file Signature Results: GuLoader behavior
No contacted IP infos