Windows Analysis Report
171121_PDF.exe

Overview

General Information

Sample Name:	171121_PDF.exe
Analysis ID:	558240
MD5:	60d8b8589ba8045361ae148ee76c7582
SHA1:	328a778d026ad6611bb295bf3a799b6499fc7c7c
SHA256:	8f34d0008f07a4460c9ebc5a8d8a558a85979bd0112962eddf9506dc5b627989
Infos:

Detection

GuLoader Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Remcos RAT

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Yara detected GuLoader

Hides threads from debuggers

Installs a global keyboard hook

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Uses dynamic DNS services

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Sleep loop found (likely to delay execution)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to call native functions

Contains functionality for execution timing, often used to detect debuggers

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Checks if the current process is being debugged

PE / OLE file has an invalid certificate

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection

Found malware configuration

Source: 00000005.00000000.95166069748.0000000003000000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/downloa"}

Multi AV Scanner detection for submitted file

Source: 171121_PDF.exe	Virustotal: Detection: 60%	Perma Link
Source: 171121_PDF.exe	Metadefender: Detection: 17%	Perma Link
Source: 171121_PDF.exe	ReversingLabs: Detection: 67%

Yara detected Remcos RAT

Source: Yara match	File source: 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ieinstal.exe PID: 7000, type: MEMORYSTR

Antivirus / Scanner detection for submitted sample

Source: 171121_PDF.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe

Avira: detection malicious, Label: TR/AD.Nekark.jinay

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe	Virustotal: Detection: 60%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe	Metadefender: Detection: 17%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe	ReversingLabs: Detection: 67%

Machine Learning detection for sample

Source: 171121_PDF.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 2.0.171121_PDF.exe.400000.0.unpack

Avira: Label: TR/AD.Nekark.jinay

Compliance

Uses 32bit PE files

Source: 171121_PDF.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://onedrive.live.com/downloa

Uses dynamic DNS services

Source: unknown

DNS query: name: olufem.ddns.net

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: ieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: ieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmp	String found in binary or memory: https://d34m1w.bn.files.1drv.com/
Source: ieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp	String found in binary or memory: https://d34m1w.bn.files.1drv.com/#
Source: ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmp	String found in binary or memory: https://d34m1w.bn.files.1drv.com/K
Source: ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmp	String found in binary or memory: https://d34m1w.bn.files.1drv.com/e
Source: ieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp	String found in binary or memory: https://d34m1w.bn.files.1drv.com/rer
Source: ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmp	String found in binary or memory: https://d34m1w.bn.files.1drv.com/y#
Source: ieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, ieinstal.exe, 00000005.00000002.100061742275.0000000003475000.00000004.00000020.sdmp	String found in binary or memory: https://d34m1w.bn.files.1drv.com/y4m7fxSf_SYygxFCqOTyBtDpLqPOYB60ldIfMGh_-vtFefb5neuOGhwPPxWnqgy8Dxz
Source: ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmp	String found in binary or memory: https://d34m1w.bn.files.1drv.com/y4mlvrZnpVzkFAu500fuzSWuME5RflAMbugHHfl4crVqcejz3wapD4Rm6d4a3n06QKS
Source: ieinstal.exe, 00000005.00000002.100061248342.0000000003407000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/
Source: ieinstal.exe, 00000005.00000002.100061248342.0000000003407000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/c
Source: ieinstal.exe, 00000005.00000002.100061542449.000000000344D000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/download?cid=176929A81F7E1249&resid=176929A81F7E1249%211217&authkey=ABMgMS

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Windows user hook set: 0 keyboard low level C:\Program Files (x86)\internet explorer\ieinstal.exe

Jump to behavior

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ieinstal.exe PID: 7000, type: MEMORYSTR

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: 171121_PDF.exe

Uses 32bit PE files

Source: 171121_PDF.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Detected potential crypto function

Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_00405A7F	2_2_00405A7F
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0040721E	2_2_0040721E
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_00406A36	2_2_00406A36
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_00405395	2_2_00405395
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_023684F7	2_2_023684F7
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02361A5F	2_2_02361A5F
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236FB8E	2_2_0236FB8E
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236CFC2	2_2_0236CFC2
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236330D	2_2_0236330D
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236702D	2_2_0236702D
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02367005	2_2_02367005
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236E629	2_2_0236E629
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236E665	2_2_0236E665
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D66F	2_2_0236D66F
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D698	2_2_0236D698
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236E6F9	2_2_0236E6F9
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236E6CD	2_2_0236E6CD
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236E734	2_2_0236E734
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236272C	2_2_0236272C
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D71E	2_2_0236D71E
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236E76E	2_2_0236E76E
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D758	2_2_0236D758
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02369784	2_2_02369784
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_023647F1	2_2_023647F1
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02367463	2_2_02367463
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236E59E	2_2_0236E59E
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236E5EC	2_2_0236E5EC
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236DA30	2_2_0236DA30
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02360A5C	2_2_02360A5C
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02364A41	2_2_02364A41
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02364A81	2_2_02364A81
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02364AE4	2_2_02364AE4
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02364B2E	2_2_02364B2E
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02364BB4	2_2_02364BB4
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236DBC5	2_2_0236DBC5
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02364819	2_2_02364819
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236E819	2_2_0236E819
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D855	2_2_0236D855
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236E844	2_2_0236E844
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D89D	2_2_0236D89D
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_023648DD	2_2_023648DD
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D989	2_2_0236D989
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D9D1	2_2_0236D9D1
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236CFED	2_2_0236CFED
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02366FD9	2_2_02366FD9
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02364C32	2_2_02364C32
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02361DBE	2_2_02361DBE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 5_2_030103D9	5_2_030103D9

Contains functionality to call native functions

Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236F695 NtProtectVirtualMemory,	2_2_0236F695
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236CFC2 NtAllocateVirtualMemory,	2_2_0236CFC2
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D210 NtAllocateVirtualMemory,	2_2_0236D210
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D295 NtAllocateVirtualMemory,	2_2_0236D295
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D2E0 NtAllocateVirtualMemory,	2_2_0236D2E0
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D311 NtAllocateVirtualMemory,	2_2_0236D311
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D046 NtAllocateVirtualMemory,	2_2_0236D046
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D0E6 NtAllocateVirtualMemory,	2_2_0236D0E6
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D0D1 NtAllocateVirtualMemory,	2_2_0236D0D1
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D13C NtAllocateVirtualMemory,	2_2_0236D13C
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02368A05 NtWriteVirtualMemory,	2_2_02368A05
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236CFED NtAllocateVirtualMemory,	2_2_0236CFED
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 5_2_03010951 Sleep,NtProtectVirtualMemory,	5_2_03010951
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 5_2_03010A64 NtProtectVirtualMemory,	5_2_03010A64
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 5_2_03010A5D NtProtectVirtualMemory,	5_2_03010A5D

Sample file is different than original file name gathered from version info

Source: 171121_PDF.exe, 00000002.00000000.95004111933.0000000000419000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameBrugstyveriscortic.exe vs 171121_PDF.exe
Source: 171121_PDF.exe	Binary or memory string: OriginalFilenameBrugstyveriscortic.exe vs 171121_PDF.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\171121_PDF.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section loaded: edgegdi.dll			Jump to behavior

PE / OLE file has an invalid certificate

Source: 171121_PDF.exe

Static PE information: invalid certificate

Source: 171121_PDF.exe	Virustotal: Detection: 60%
Source: 171121_PDF.exe	Metadefender: Detection: 17%
Source: 171121_PDF.exe	ReversingLabs: Detection: 67%

Source: 171121_PDF.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\171121_PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\171121_PDF.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\171121_PDF.exe "C:\Users\user\Desktop\171121_PDF.exe"
Source: C:\Users\user\Desktop\171121_PDF.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe"
Source: C:\Users\user\Desktop\171121_PDF.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe"
Source: C:\Users\user\Desktop\171121_PDF.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe"	Jump to behavior
Source: C:\Users\user\Desktop\171121_PDF.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe"	Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

File created: C:\Users\user\AppData\Roaming\wifitskl

Jump to behavior

Source: C:\Users\user\Desktop\171121_PDF.exe

File created: C:\Users\user\AppData\Local\Temp\~DFFFD65EAE6BEE96C9.TMP

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/3@10/1

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Mutant created: \Sessions\1\BaseNamedObjects\audiotsk-RA5QGA

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000005.00000000.95166069748.0000000003000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_00405241 pushfd ; retf	2_2_00405242
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_00405A57 push 0000004Bh; retf	2_2_00405A7B
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_00408858 push 00000018h; ret	2_2_0040885A
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0040A864 push esi; iretd	2_2_0040A865
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_00405A7F push ebx; ret	2_2_00405B0D
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_00406A27 push es; iretd	2_2_00406A35
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_00405AD4 push ebx; ret	2_2_00405B0D
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_00405CFE push 18FEA023h; retf	2_2_00405D16
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_004086A1 push edx; iretd	2_2_004086AE
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236816B push ss; iretd	2_2_023681C4
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_023681D4 push ss; iretd	2_2_023681C4
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236564B push ebp; iretd	2_2_0236564C
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236A7C6 push ecx; ret	2_2_0236A7DA
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02361834 push es; retf	2_2_0236183A
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02362EF5 push ebp; iretd	2_2_02362F47
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02360F16 push edx; ret	2_2_02360F31
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02362F48 pushad ; iretd	2_2_02362F57

Persistence and Installation Behavior

Drops PE files

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

File created: C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe

Jump to dropped file

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Skuffejernenesco2			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Skuffejernenesco2			Jump to behavior

Source: C:\Users\user\Desktop\171121_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\171121_PDF.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\171121_PDF.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 171121_PDF.exe, 00000002.00000002.95423993948.00000000039B0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WIN64; X64) APPLEWEBKIT/537.36 (KHTML, LIKE GECKO) CHROME/91.0.4472.124 SAFARI/537.36SHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLLPROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLL
Source: 171121_PDF.exe, 00000002.00000002.95421592094.00000000005B4000.00000004.00000020.sdmp, 171121_PDF.exe, 00000002.00000002.95423993948.00000000039B0000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100061142965.0000000003360000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: 171121_PDF.exe, 00000002.00000002.95421500993.000000000059D000.00000004.00000020.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: ieinstal.exe, 00000005.00000002.100061142965.0000000003360000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WIN64; X64) APPLEWEBKIT/537.36 (KHTML, LIKE GECKO) CHROME/91.0.4472.124 SAFARI/537.36SHELL32ADVAPI32TEMP=\VAGABO.EXE\CUSCONINESOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSKUFFEJERNENESCO2HTTPS://ONEDRIVE.LIVE.COM/DOWNLOAD?CID=176929A81F7E1249&RESID=176929A81F7E1249%211217&AUTHKEY=ABMGMSTXNC_3PVK

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 996	Thread sleep count: 9108 > 30			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 996	Thread sleep time: -45540s >= -30000s			Jump to behavior

Sleep loop found (likely to delay execution)

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Thread sleep count: Count: 9108 delay: -5

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\171121_PDF.exe

Code function: 2_2_023640AA rdtsc

2_2_023640AA

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Window / User API: threadDelayed 9108			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Window / User API: foregroundWindowGot 673			Jump to behavior

Source: C:\Users\user\Desktop\171121_PDF.exe

System information queried: ModuleInformation

Jump to behavior

Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp	Binary or memory string: vmicshutdown
Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: ieinstal.exe, 00000005.00000002.100061142965.0000000003360000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36shell32advapi32TEMP=\vagabo.exe\CUSCONINESoftware\Microsoft\Windows\CurrentVersion\RunSkuffejernenesco2https://onedrive.live.com/download?cid=176929A81F7E1249&resid=176929A81F7E1249%211217&authkey=ABMgMSTxNC_3pVk
Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp	Binary or memory string: vmicvss
Source: ieinstal.exe, 00000005.00000002.100061775312.000000000347A000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: ieinstal.exe, 00000005.00000002.100061248342.0000000003407000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW(
Source: 171121_PDF.exe, 00000002.00000002.95421592094.00000000005B4000.00000004.00000020.sdmp, 171121_PDF.exe, 00000002.00000002.95423993948.00000000039B0000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100061142965.0000000003360000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: 171121_PDF.exe, 00000002.00000002.95421500993.000000000059D000.00000004.00000020.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: 171121_PDF.exe, 00000002.00000002.95423993948.00000000039B0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36shell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dllProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dll
Source: ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp	Binary or memory string: vmicheartbeat

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\171121_PDF.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Thread information set: HideFromDebugger			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\171121_PDF.exe

Code function: 2_2_023640AA rdtsc

2_2_023640AA

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_023696BF mov eax, dword ptr fs:[00000030h]	2_2_023696BF
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236E59E mov eax, dword ptr fs:[00000030h]	2_2_0236E59E
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236C982 mov eax, dword ptr fs:[00000030h]	2_2_0236C982
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236BEA2 mov eax, dword ptr fs:[00000030h]	2_2_0236BEA2

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\171121_PDF.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\171121_PDF.exe

Code function: 2_2_0236AB06 LdrInitializeThunk,

2_2_0236AB06

Source: C:\Users\user\Desktop\171121_PDF.exe

Code function: 2_2_0236FB8E RtlAddVectoredExceptionHandler,

2_2_0236FB8E

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\171121_PDF.exe

Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 3000000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\171121_PDF.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe"			Jump to behavior
Source: C:\Users\user\Desktop\171121_PDF.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe"			Jump to behavior

Source: ieinstal.exe, 00000005.00000002.100061641127.0000000003461000.00000004.00000020.sdmp	Binary or memory string: Program Managers.net:6110
Source: ieinstal.exe, 00000005.00000002.100062544413.0000000003A11000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: ieinstal.exe, 00000005.00000002.100062544413.0000000003A11000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: ieinstal.exe, 00000005.00000002.100061641127.0000000003461000.00000004.00000020.sdmp	Binary or memory string: Program Manager:\Users
Source: ieinstal.exe, 00000005.00000002.100062544413.0000000003A11000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: ieinstal.exe, 00000005.00000002.100061641127.0000000003461000.00000004.00000020.sdmp	Binary or memory string: Program ManagerEM
Source: ieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, ieinstal.exe, 00000005.00000002.100061248342.0000000003407000.00000004.00000020.sdmp, logs.dat.5.dr	Binary or memory string: [ Program Manager ]
Source: ieinstal.exe, 00000005.00000002.100061641127.0000000003461000.00000004.00000020.sdmp	Binary or memory string: Program Managers.net:
Source: ieinstal.exe, 00000005.00000002.100061641127.0000000003461000.00000004.00000020.sdmp	Binary or memory string: Program Managers.net:6110?
Source: ieinstal.exe, 00000005.00000002.100061641127.0000000003461000.00000004.00000020.sdmp	Binary or memory string: Program ManagerEM d
Source: ieinstal.exe, 00000005.00000002.100061641127.0000000003461000.00000004.00000020.sdmp	Binary or memory string: Program ManagerEM D

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ieinstal.exe PID: 7000, type: MEMORYSTR

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ieinstal.exe PID: 7000, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.111.251.34	olufem.ddns.net	United States		9009	M247GB	true

Contacted Domains

Name	IP	Active
olufem.ddns.net	172.111.251.34	true
onedrive.live.com	unknown	unknown
d34m1w.bn.files.1drv.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://onedrive.live.com/downloa	false		high

AV Detection

Found malware configuration

Source: 00000005.00000000.95166069748.0000000003000000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/downloa"}

Multi AV Scanner detection for submitted file

Source: 171121_PDF.exe	Virustotal: Detection: 60%	Perma Link
Source: 171121_PDF.exe	Metadefender: Detection: 17%	Perma Link
Source: 171121_PDF.exe	ReversingLabs: Detection: 67%

Yara detected Remcos RAT

Source: Yara match	File source: 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ieinstal.exe PID: 7000, type: MEMORYSTR

Antivirus / Scanner detection for submitted sample

Source: 171121_PDF.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe

Avira: detection malicious, Label: TR/AD.Nekark.jinay

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe	Virustotal: Detection: 60%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe	Metadefender: Detection: 17%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe	ReversingLabs: Detection: 67%

Machine Learning detection for sample

Source: 171121_PDF.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 2.0.171121_PDF.exe.400000.0.unpack

Avira: Label: TR/AD.Nekark.jinay

Compliance

Uses 32bit PE files

Source: 171121_PDF.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://onedrive.live.com/downloa

Uses dynamic DNS services

Source: unknown

DNS query: name: olufem.ddns.net

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: ieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: ieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmp	String found in binary or memory: https://d34m1w.bn.files.1drv.com/
Source: ieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp	String found in binary or memory: https://d34m1w.bn.files.1drv.com/#
Source: ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmp	String found in binary or memory: https://d34m1w.bn.files.1drv.com/K
Source: ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmp	String found in binary or memory: https://d34m1w.bn.files.1drv.com/e
Source: ieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp	String found in binary or memory: https://d34m1w.bn.files.1drv.com/rer
Source: ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmp	String found in binary or memory: https://d34m1w.bn.files.1drv.com/y#
Source: ieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, ieinstal.exe, 00000005.00000002.100061742275.0000000003475000.00000004.00000020.sdmp	String found in binary or memory: https://d34m1w.bn.files.1drv.com/y4m7fxSf_SYygxFCqOTyBtDpLqPOYB60ldIfMGh_-vtFefb5neuOGhwPPxWnqgy8Dxz
Source: ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmp	String found in binary or memory: https://d34m1w.bn.files.1drv.com/y4mlvrZnpVzkFAu500fuzSWuME5RflAMbugHHfl4crVqcejz3wapD4Rm6d4a3n06QKS
Source: ieinstal.exe, 00000005.00000002.100061248342.0000000003407000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/
Source: ieinstal.exe, 00000005.00000002.100061248342.0000000003407000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/c
Source: ieinstal.exe, 00000005.00000002.100061542449.000000000344D000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/download?cid=176929A81F7E1249&resid=176929A81F7E1249%211217&authkey=ABMgMS

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Windows user hook set: 0 keyboard low level C:\Program Files (x86)\internet explorer\ieinstal.exe

Jump to behavior

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ieinstal.exe PID: 7000, type: MEMORYSTR

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: 171121_PDF.exe

Uses 32bit PE files

Source: 171121_PDF.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Detected potential crypto function

Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_00405A7F	2_2_00405A7F
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0040721E	2_2_0040721E
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_00406A36	2_2_00406A36
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_00405395	2_2_00405395
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_023684F7	2_2_023684F7
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02361A5F	2_2_02361A5F
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236FB8E	2_2_0236FB8E
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236CFC2	2_2_0236CFC2
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236330D	2_2_0236330D
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236702D	2_2_0236702D
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02367005	2_2_02367005
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236E629	2_2_0236E629
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236E665	2_2_0236E665
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D66F	2_2_0236D66F
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D698	2_2_0236D698
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236E6F9	2_2_0236E6F9
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236E6CD	2_2_0236E6CD
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236E734	2_2_0236E734
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236272C	2_2_0236272C
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D71E	2_2_0236D71E
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236E76E	2_2_0236E76E
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D758	2_2_0236D758
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02369784	2_2_02369784
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_023647F1	2_2_023647F1
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02367463	2_2_02367463
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236E59E	2_2_0236E59E
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236E5EC	2_2_0236E5EC
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236DA30	2_2_0236DA30
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02360A5C	2_2_02360A5C
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02364A41	2_2_02364A41
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02364A81	2_2_02364A81
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02364AE4	2_2_02364AE4
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02364B2E	2_2_02364B2E
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02364BB4	2_2_02364BB4
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236DBC5	2_2_0236DBC5
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02364819	2_2_02364819
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236E819	2_2_0236E819
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D855	2_2_0236D855
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236E844	2_2_0236E844
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D89D	2_2_0236D89D
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_023648DD	2_2_023648DD
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D989	2_2_0236D989
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D9D1	2_2_0236D9D1
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236CFED	2_2_0236CFED
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02366FD9	2_2_02366FD9
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02364C32	2_2_02364C32
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02361DBE	2_2_02361DBE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 5_2_030103D9	5_2_030103D9

Contains functionality to call native functions

Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236F695 NtProtectVirtualMemory,	2_2_0236F695
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236CFC2 NtAllocateVirtualMemory,	2_2_0236CFC2
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D210 NtAllocateVirtualMemory,	2_2_0236D210
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D295 NtAllocateVirtualMemory,	2_2_0236D295
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D2E0 NtAllocateVirtualMemory,	2_2_0236D2E0
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D311 NtAllocateVirtualMemory,	2_2_0236D311
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D046 NtAllocateVirtualMemory,	2_2_0236D046
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D0E6 NtAllocateVirtualMemory,	2_2_0236D0E6
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D0D1 NtAllocateVirtualMemory,	2_2_0236D0D1
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D13C NtAllocateVirtualMemory,	2_2_0236D13C
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02368A05 NtWriteVirtualMemory,	2_2_02368A05
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236CFED NtAllocateVirtualMemory,	2_2_0236CFED
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 5_2_03010951 Sleep,NtProtectVirtualMemory,	5_2_03010951
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 5_2_03010A64 NtProtectVirtualMemory,	5_2_03010A64
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 5_2_03010A5D NtProtectVirtualMemory,	5_2_03010A5D

Sample file is different than original file name gathered from version info

Source: 171121_PDF.exe, 00000002.00000000.95004111933.0000000000419000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameBrugstyveriscortic.exe vs 171121_PDF.exe
Source: 171121_PDF.exe	Binary or memory string: OriginalFilenameBrugstyveriscortic.exe vs 171121_PDF.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\171121_PDF.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section loaded: edgegdi.dll			Jump to behavior

PE / OLE file has an invalid certificate

Source: 171121_PDF.exe

Static PE information: invalid certificate

Source: 171121_PDF.exe	Virustotal: Detection: 60%
Source: 171121_PDF.exe	Metadefender: Detection: 17%
Source: 171121_PDF.exe	ReversingLabs: Detection: 67%

Source: 171121_PDF.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\171121_PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\171121_PDF.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\171121_PDF.exe "C:\Users\user\Desktop\171121_PDF.exe"
Source: C:\Users\user\Desktop\171121_PDF.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe"
Source: C:\Users\user\Desktop\171121_PDF.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe"
Source: C:\Users\user\Desktop\171121_PDF.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe"	Jump to behavior
Source: C:\Users\user\Desktop\171121_PDF.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe"	Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

File created: C:\Users\user\AppData\Roaming\wifitskl

Jump to behavior

Source: C:\Users\user\Desktop\171121_PDF.exe

File created: C:\Users\user\AppData\Local\Temp\~DFFFD65EAE6BEE96C9.TMP

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/3@10/1

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Mutant created: \Sessions\1\BaseNamedObjects\audiotsk-RA5QGA

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000005.00000000.95166069748.0000000003000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_00405241 pushfd ; retf	2_2_00405242
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_00405A57 push 0000004Bh; retf	2_2_00405A7B
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_00408858 push 00000018h; ret	2_2_0040885A
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0040A864 push esi; iretd	2_2_0040A865
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_00405A7F push ebx; ret	2_2_00405B0D
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_00406A27 push es; iretd	2_2_00406A35
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_00405AD4 push ebx; ret	2_2_00405B0D
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_00405CFE push 18FEA023h; retf	2_2_00405D16
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_004086A1 push edx; iretd	2_2_004086AE
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236816B push ss; iretd	2_2_023681C4
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_023681D4 push ss; iretd	2_2_023681C4
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236564B push ebp; iretd	2_2_0236564C
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236A7C6 push ecx; ret	2_2_0236A7DA
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02361834 push es; retf	2_2_0236183A
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02362EF5 push ebp; iretd	2_2_02362F47
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02360F16 push edx; ret	2_2_02360F31
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02362F48 pushad ; iretd	2_2_02362F57

Persistence and Installation Behavior

Drops PE files

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

File created: C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe

Jump to dropped file

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Skuffejernenesco2			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Skuffejernenesco2			Jump to behavior

Source: C:\Users\user\Desktop\171121_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\171121_PDF.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\171121_PDF.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 171121_PDF.exe, 00000002.00000002.95423993948.00000000039B0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WIN64; X64) APPLEWEBKIT/537.36 (KHTML, LIKE GECKO) CHROME/91.0.4472.124 SAFARI/537.36SHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLLPROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLL
Source: 171121_PDF.exe, 00000002.00000002.95421592094.00000000005B4000.00000004.00000020.sdmp, 171121_PDF.exe, 00000002.00000002.95423993948.00000000039B0000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100061142965.0000000003360000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: 171121_PDF.exe, 00000002.00000002.95421500993.000000000059D000.00000004.00000020.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: ieinstal.exe, 00000005.00000002.100061142965.0000000003360000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WIN64; X64) APPLEWEBKIT/537.36 (KHTML, LIKE GECKO) CHROME/91.0.4472.124 SAFARI/537.36SHELL32ADVAPI32TEMP=\VAGABO.EXE\CUSCONINESOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSKUFFEJERNENESCO2HTTPS://ONEDRIVE.LIVE.COM/DOWNLOAD?CID=176929A81F7E1249&RESID=176929A81F7E1249%211217&AUTHKEY=ABMGMSTXNC_3PVK

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 996	Thread sleep count: 9108 > 30			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 996	Thread sleep time: -45540s >= -30000s			Jump to behavior

Sleep loop found (likely to delay execution)

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Thread sleep count: Count: 9108 delay: -5

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\171121_PDF.exe

Code function: 2_2_023640AA rdtsc

2_2_023640AA

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Window / User API: threadDelayed 9108			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Window / User API: foregroundWindowGot 673			Jump to behavior

Source: C:\Users\user\Desktop\171121_PDF.exe

System information queried: ModuleInformation

Jump to behavior

Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp	Binary or memory string: vmicshutdown
Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: ieinstal.exe, 00000005.00000002.100061142965.0000000003360000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36shell32advapi32TEMP=\vagabo.exe\CUSCONINESoftware\Microsoft\Windows\CurrentVersion\RunSkuffejernenesco2https://onedrive.live.com/download?cid=176929A81F7E1249&resid=176929A81F7E1249%211217&authkey=ABMgMSTxNC_3pVk
Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp	Binary or memory string: vmicvss
Source: ieinstal.exe, 00000005.00000002.100061775312.000000000347A000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: ieinstal.exe, 00000005.00000002.100061248342.0000000003407000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW(
Source: 171121_PDF.exe, 00000002.00000002.95421592094.00000000005B4000.00000004.00000020.sdmp, 171121_PDF.exe, 00000002.00000002.95423993948.00000000039B0000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100061142965.0000000003360000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: 171121_PDF.exe, 00000002.00000002.95421500993.000000000059D000.00000004.00000020.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: 171121_PDF.exe, 00000002.00000002.95423993948.00000000039B0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36shell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dllProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dll
Source: ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp	Binary or memory string: vmicheartbeat

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\171121_PDF.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Thread information set: HideFromDebugger			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\171121_PDF.exe

Code function: 2_2_023640AA rdtsc

2_2_023640AA

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_023696BF mov eax, dword ptr fs:[00000030h]	2_2_023696BF
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236E59E mov eax, dword ptr fs:[00000030h]	2_2_0236E59E
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236C982 mov eax, dword ptr fs:[00000030h]	2_2_0236C982
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236BEA2 mov eax, dword ptr fs:[00000030h]	2_2_0236BEA2

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\171121_PDF.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\171121_PDF.exe

Code function: 2_2_0236AB06 LdrInitializeThunk,

2_2_0236AB06

Source: C:\Users\user\Desktop\171121_PDF.exe

Code function: 2_2_0236FB8E RtlAddVectoredExceptionHandler,

2_2_0236FB8E

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\171121_PDF.exe

Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 3000000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\171121_PDF.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe"			Jump to behavior
Source: C:\Users\user\Desktop\171121_PDF.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe"			Jump to behavior

Source: ieinstal.exe, 00000005.00000002.100061641127.0000000003461000.00000004.00000020.sdmp	Binary or memory string: Program Managers.net:6110
Source: ieinstal.exe, 00000005.00000002.100062544413.0000000003A11000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: ieinstal.exe, 00000005.00000002.100062544413.0000000003A11000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: ieinstal.exe, 00000005.00000002.100061641127.0000000003461000.00000004.00000020.sdmp	Binary or memory string: Program Manager:\Users
Source: ieinstal.exe, 00000005.00000002.100062544413.0000000003A11000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: ieinstal.exe, 00000005.00000002.100061641127.0000000003461000.00000004.00000020.sdmp	Binary or memory string: Program ManagerEM
Source: ieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, ieinstal.exe, 00000005.00000002.100061248342.0000000003407000.00000004.00000020.sdmp, logs.dat.5.dr	Binary or memory string: [ Program Manager ]
Source: ieinstal.exe, 00000005.00000002.100061641127.0000000003461000.00000004.00000020.sdmp	Binary or memory string: Program Managers.net:
Source: ieinstal.exe, 00000005.00000002.100061641127.0000000003461000.00000004.00000020.sdmp	Binary or memory string: Program Managers.net:6110?
Source: ieinstal.exe, 00000005.00000002.100061641127.0000000003461000.00000004.00000020.sdmp	Binary or memory string: Program ManagerEM d
Source: ieinstal.exe, 00000005.00000002.100061641127.0000000003461000.00000004.00000020.sdmp	Binary or memory string: Program ManagerEM D

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ieinstal.exe PID: 7000, type: MEMORYSTR

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ieinstal.exe PID: 7000, type: MEMORYSTR

ID:	558240
Product:	CloudBasic
Start time:	06:48:48
Start date:	23.01.2022
Sample:	171121_PDF.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Architecture:	WINDOWS
MD5:	60d8b8589ba8045361ae148ee76c7582
SHA1:	328a778d026ad6611bb295bf3a799b6499fc7c7c
SHA256:	8f34d0008f07a4460c9ebc5a8d8a558a85979bd0112962eddf9506dc5b627989
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe	PE32 executable (GUI) Intel 80386, for MS Windows	60D8B8589BA8045361AE148EE76C7582	328A778D026AD6611BB295BF3A799B6499FC7C7C	8F34D0008F07A4460C9EBC5A8D8A558A85979BD0112962EDDF9506DC5B627989
C:\Users\user\AppData\Local\Temp\~DFFFD65EAE6BEE96C9.TMP	Composite Document File V2 Document, Cannot read section info	23BC92D1C5A3C3698C8524B7CEB3F5D9	199D2660FEA3F7310397A37A8C7C600E7A26D461	5A6730EB0987730B214A46DC814FE2071576A338B2210DECE2780AC6E3B45DD7
C:\Users\user\AppData\Roaming\wifitskl\logs.dat	data	4E974FEC547CB42D02EBEF1C4F168E6E	26C86768D963521FBB151F247A117B9C0EB1EBEA	8A7CCD77EF7FE3C4C467A8A7F0BF4153058E5A60E4F9B54A5C4E52BCBAD5B155

Windows Analysis Report
171121_PDF.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report 171121_PDF.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
171121_PDF.exe