Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
171121_PDF.exe

Overview

General Information

Sample Name:171121_PDF.exe
Analysis ID:558240
MD5:60d8b8589ba8045361ae148ee76c7582
SHA1:328a778d026ad6611bb295bf3a799b6499fc7c7c
SHA256:8f34d0008f07a4460c9ebc5a8d8a558a85979bd0112962eddf9506dc5b627989
Infos:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
GuLoader behavior detected
Yara detected GuLoader
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Found stalling execution ending in API Sleep call
Tries to detect Any.run
C2 URLs / IPs found in malware configuration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
PE / OLE file has an invalid certificate
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Abnormal high CPU Usage

Classification

  • System is w10x64
  • 171121_PDF.exe (PID: 6968 cmdline: "C:\Users\user\Desktop\171121_PDF.exe" MD5: 60D8B8589BA8045361AE148EE76C7582)
    • ieinstal.exe (PID: 5012 cmdline: "C:\Users\user\Desktop\171121_PDF.exe" MD5: DAD17AB737E680C47C8A44CBB95EE67E)
    • ieinstal.exe (PID: 7124 cmdline: "C:\Users\user\Desktop\171121_PDF.exe" MD5: DAD17AB737E680C47C8A44CBB95EE67E)
  • cleanup
{"Payload URL": "https://onedrive.live.com/downloa"}
SourceRuleDescriptionAuthorStrings
0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    0000000F.00000000.352935282.0000000003200000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        No Sigma rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: 171121_PDF.exeAvira: detected
        Source: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/downloa"}
        Source: 171121_PDF.exeVirustotal: Detection: 60%Perma Link
        Source: 171121_PDF.exeMetadefender: Detection: 17%Perma Link
        Source: 171121_PDF.exeReversingLabs: Detection: 67%
        Source: 171121_PDF.exeJoe Sandbox ML: detected
        Source: 0.0.171121_PDF.exe.400000.0.unpackAvira: Label: TR/AD.Nekark.jinay
        Source: 171121_PDF.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

        Networking

        barindex
        Source: Malware configuration extractorURLs: https://onedrive.live.com/downloa
        Source: unknownDNS traffic detected: queries for: onedrive.live.com

        System Summary

        barindex
        Source: initial sampleStatic PE information: Filename: 171121_PDF.exe
        Source: 171121_PDF.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: 171121_PDF.exe, 00000000.00000002.497741806.0000000000419000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBrugstyveriscortic.exe vs 171121_PDF.exe
        Source: 171121_PDF.exeBinary or memory string: OriginalFilenameBrugstyveriscortic.exe vs 171121_PDF.exe
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_00405A7F0_2_00405A7F
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0040721E0_2_0040721E
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_00406A360_2_00406A36
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_004053950_2_00405395
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_023284F70_2_023284F7
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_02321A5F0_2_02321A5F
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232FB8E0_2_0232FB8E
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232CFC20_2_0232CFC2
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232330D0_2_0232330D
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232702D0_2_0232702D
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_023270050_2_02327005
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232E6290_2_0232E629
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232E6650_2_0232E665
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232D66F0_2_0232D66F
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232D6980_2_0232D698
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232E6F90_2_0232E6F9
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232E6CD0_2_0232E6CD
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232E7340_2_0232E734
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232272C0_2_0232272C
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232D71E0_2_0232D71E
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232E76E0_2_0232E76E
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232D7580_2_0232D758
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_023297840_2_02329784
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_023247F10_2_023247F1
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_023274630_2_02327463
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232E59E0_2_0232E59E
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232E5EC0_2_0232E5EC
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232DA300_2_0232DA30
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_02320A5C0_2_02320A5C
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_02324A410_2_02324A41
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_02324A810_2_02324A81
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_02324AE40_2_02324AE4
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_02324B2E0_2_02324B2E
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_02324BB40_2_02324BB4
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232DBC50_2_0232DBC5
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_023248190_2_02324819
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232E8190_2_0232E819
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232D8550_2_0232D855
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232E8440_2_0232E844
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232D89D0_2_0232D89D
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_023248DD0_2_023248DD
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232D9890_2_0232D989
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232D9D10_2_0232D9D1
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232CFED0_2_0232CFED
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_02326FD90_2_02326FD9
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_02324C320_2_02324C32
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_02321DBE0_2_02321DBE
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320376015_2_03203760
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_032047F115_2_032047F1
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320FB8E15_2_0320FB8E
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_03201A5F15_2_03201A5F
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320CFC215_2_0320CFC2
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320330D15_2_0320330D
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320702D15_2_0320702D
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320700515_2_03207005
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320272C15_2_0320272C
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320378115_2_03203781
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320978415_2_03209784
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320D69815_2_0320D698
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320E59E15_2_0320E59E
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320746315_2_03207463
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_03204B2E15_2_03204B2E
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_03204BB415_2_03204BB4
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_03204A4115_2_03204A41
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_03200A5C15_2_03200A5C
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_03204A8115_2_03204A81
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_03204AE415_2_03204AE4
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320481915_2_03204819
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320384915_2_03203849
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_032048DD15_2_032048DD
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320CFED15_2_0320CFED
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_03206FD915_2_03206FD9
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_03201DBE15_2_03201DBE
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_03204C3215_2_03204C32
        Source: 171121_PDF.exeStatic PE information: invalid certificate
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232F695 NtProtectVirtualMemory,0_2_0232F695
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232FB8E NtResumeThread,0_2_0232FB8E
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232CFC2 NtAllocateVirtualMemory,0_2_0232CFC2
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232D210 NtAllocateVirtualMemory,0_2_0232D210
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232D295 NtAllocateVirtualMemory,0_2_0232D295
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232D2E0 NtAllocateVirtualMemory,0_2_0232D2E0
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232D311 NtAllocateVirtualMemory,0_2_0232D311
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232D046 NtAllocateVirtualMemory,0_2_0232D046
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232D0E6 NtAllocateVirtualMemory,0_2_0232D0E6
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232D0D1 NtAllocateVirtualMemory,0_2_0232D0D1
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232D13C NtAllocateVirtualMemory,0_2_0232D13C
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_02328A05 NtWriteVirtualMemory,0_2_02328A05
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232CFED NtAllocateVirtualMemory,0_2_0232CFED
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320F695 NtProtectVirtualMemory,15_2_0320F695
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320CFC2 NtAllocateVirtualMemory,15_2_0320CFC2
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320D311 NtAllocateVirtualMemory,15_2_0320D311
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320D210 NtAllocateVirtualMemory,15_2_0320D210
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320D295 NtAllocateVirtualMemory,15_2_0320D295
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320D2E0 NtAllocateVirtualMemory,15_2_0320D2E0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320D13C NtAllocateVirtualMemory,15_2_0320D13C
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320D046 NtAllocateVirtualMemory,15_2_0320D046
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320D0E6 NtAllocateVirtualMemory,15_2_0320D0E6
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320D0D1 NtAllocateVirtualMemory,15_2_0320D0D1
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320CFED NtAllocateVirtualMemory,15_2_0320CFED
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess Stats: CPU usage > 98%
        Source: 171121_PDF.exeVirustotal: Detection: 60%
        Source: 171121_PDF.exeMetadefender: Detection: 17%
        Source: 171121_PDF.exeReversingLabs: Detection: 67%
        Source: 171121_PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\171121_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\171121_PDF.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\171121_PDF.exe "C:\Users\user\Desktop\171121_PDF.exe"
        Source: C:\Users\user\Desktop\171121_PDF.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe"
        Source: C:\Users\user\Desktop\171121_PDF.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe"
        Source: C:\Users\user\Desktop\171121_PDF.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe" Jump to behavior
        Source: C:\Users\user\Desktop\171121_PDF.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe" Jump to behavior
        Source: C:\Users\user\Desktop\171121_PDF.exeFile created: C:\Users\user\AppData\Local\Temp\~DFD14B856B0CE15507.TMPJump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winEXE@5/2@2/0

        Data Obfuscation

        barindex
        Source: Yara matchFile source: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000000.352935282.0000000003200000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, type: MEMORY
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_00405241 pushfd ; retf 0_2_00405242
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_00405A57 push 0000004Bh; retf 0_2_00405A7B
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_00408858 push 00000018h; ret 0_2_0040885A
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0040A864 push esi; iretd 0_2_0040A865
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_00405A7F push ebx; ret 0_2_00405B0D
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_00406A27 push es; iretd 0_2_00406A35
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_00405AD4 push ebx; ret 0_2_00405B0D
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_00405CFE push 18FEA023h; retf 0_2_00405D16
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_004086A1 push edx; iretd 0_2_004086AE
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232816B push ss; iretd 0_2_023281C4
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_023281D4 push ss; iretd 0_2_023281C4
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232564B push ebp; iretd 0_2_0232564C
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232A7C6 push ecx; ret 0_2_0232A7DA
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_02321834 push es; retf 0_2_0232183A
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_02322EF5 push ebp; iretd 0_2_02322F47
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_02320F16 push edx; ret 0_2_02320F31
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_02322F48 pushad ; iretd 0_2_02322F57
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320816B push ss; iretd 15_2_032081C4
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320A7C6 push ecx; ret 15_2_0320A7DA
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320564B push ebp; iretd 15_2_0320564C
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_03201834 push es; retf 15_2_0320183A
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_03200F16 push edx; ret 15_2_03200F31
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_03202F48 pushad ; iretd 15_2_03202F57
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_03202EF5 push ebp; iretd 15_2_03202F47
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Skuffejernenesco2Jump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Skuffejernenesco2Jump to behavior
        Source: C:\Users\user\Desktop\171121_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeStalling execution: Execution stalls by calling Sleepgraph_15-8580
        Source: C:\Users\user\Desktop\171121_PDF.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
        Source: C:\Users\user\Desktop\171121_PDF.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
        Source: ieinstal.exe, 0000000F.00000002.544039436.0000000003690000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WIN64; X64) APPLEWEBKIT/537.36 (KHTML, LIKE GECKO) CHROME/91.0.4472.124 SAFARI/537.36SHELL32ADVAPI32TEMP=\VAGABO.EXE\CUSCONINESOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSKUFFEJERNENESCO2
        Source: 171121_PDF.exe, 00000000.00000002.498410892.0000000003940000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WIN64; X64) APPLEWEBKIT/537.36 (KHTML, LIKE GECKO) CHROME/91.0.4472.124 SAFARI/537.36SHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLLPROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLL
        Source: 171121_PDF.exe, 00000000.00000002.498410892.0000000003940000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.544039436.0000000003690000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_023240AA rdtsc 0_2_023240AA
        Source: C:\Users\user\Desktop\171121_PDF.exeSystem information queried: ModuleInformationJump to behavior
        Source: 171121_PDF.exe, 00000000.00000002.498429562.0000000003A0A000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.544366173.0000000004F3A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
        Source: 171121_PDF.exe, 00000000.00000002.498429562.0000000003A0A000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.544366173.0000000004F3A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
        Source: ieinstal.exe, 0000000F.00000002.544366173.0000000004F3A000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
        Source: 171121_PDF.exe, 00000000.00000002.498429562.0000000003A0A000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.544366173.0000000004F3A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
        Source: 171121_PDF.exe, 00000000.00000002.498429562.0000000003A0A000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.544366173.0000000004F3A000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
        Source: 171121_PDF.exe, 00000000.00000002.498429562.0000000003A0A000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.544366173.0000000004F3A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
        Source: ieinstal.exe, 0000000F.00000002.544366173.0000000004F3A000.00000004.00000001.sdmpBinary or memory string: vmicvss
        Source: 171121_PDF.exe, 00000000.00000002.498410892.0000000003940000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.544039436.0000000003690000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: 171121_PDF.exe, 00000000.00000002.498429562.0000000003A0A000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.544366173.0000000004F3A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
        Source: ieinstal.exe, 0000000F.00000002.544039436.0000000003690000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36shell32advapi32TEMP=\vagabo.exe\CUSCONINESoftware\Microsoft\Windows\CurrentVersion\RunSkuffejernenesco2
        Source: 171121_PDF.exe, 00000000.00000002.498429562.0000000003A0A000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.544366173.0000000004F3A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
        Source: 171121_PDF.exe, 00000000.00000002.498429562.0000000003A0A000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.544366173.0000000004F3A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
        Source: 171121_PDF.exe, 00000000.00000002.498410892.0000000003940000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36shell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dllProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dll
        Source: ieinstal.exe, 0000000F.00000002.544366173.0000000004F3A000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat

        Anti Debugging

        barindex
        Source: C:\Users\user\Desktop\171121_PDF.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_023296BF mov eax, dword ptr fs:[00000030h]0_2_023296BF
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232E59E mov eax, dword ptr fs:[00000030h]0_2_0232E59E
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232C982 mov eax, dword ptr fs:[00000030h]0_2_0232C982
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232BEA2 mov eax, dword ptr fs:[00000030h]0_2_0232BEA2
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_032096BF mov eax, dword ptr fs:[00000030h]15_2_032096BF
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320E59E mov eax, dword ptr fs:[00000030h]15_2_0320E59E
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320C982 mov eax, dword ptr fs:[00000030h]15_2_0320C982
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320BEA2 mov eax, dword ptr fs:[00000030h]15_2_0320BEA2
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_023240AA rdtsc 0_2_023240AA
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232AB06 LdrInitializeThunk,0_2_0232AB06

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Source: C:\Users\user\Desktop\171121_PDF.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 3200000Jump to behavior
        Source: C:\Users\user\Desktop\171121_PDF.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe" Jump to behavior
        Source: C:\Users\user\Desktop\171121_PDF.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe" Jump to behavior
        Source: ieinstal.exe, 0000000F.00000002.544154942.0000000003AE0000.00000002.00020000.sdmpBinary or memory string: Program Manager
        Source: ieinstal.exe, 0000000F.00000002.544154942.0000000003AE0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
        Source: ieinstal.exe, 0000000F.00000002.544154942.0000000003AE0000.00000002.00020000.sdmpBinary or memory string: Progman
        Source: ieinstal.exe, 0000000F.00000002.544154942.0000000003AE0000.00000002.00020000.sdmpBinary or memory string: Progmanlock

        Stealing of Sensitive Information

        barindex
        Source: Initial fileSignature Results: GuLoader behavior
        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation1
        Registry Run Keys / Startup Folder
        112
        Process Injection
        2
        Virtualization/Sandbox Evasion
        OS Credential Dumping311
        Security Software Discovery
        Remote Services1
        Archive Collected Data
        Exfiltration Over Other Network Medium1
        Encrypted Channel
        Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
        Registry Run Keys / Startup Folder
        1
        Software Packing
        LSASS Memory2
        Virtualization/Sandbox Evasion
        Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
        Non-Application Layer Protocol
        Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)112
        Process Injection
        Security Account Manager1
        Process Discovery
        SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration11
        Application Layer Protocol
        Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
        Obfuscated Files or Information
        NTDS2
        System Information Discovery
        Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet