Source: 00000000.00000002.767624973.0000000002940000.00000040.00000800.00020000.00000000.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://bangladeshshoecity.com/im"} |
Source: cP5nXH8fQI.exe |
Virustotal: Detection: 10% |
Perma Link |
Source: cP5nXH8fQI.exe |
ReversingLabs: Detection: 18% |
Source: cP5nXH8fQI.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: cP5nXH8fQI.exe |
Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
0_2_00405C49 |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_00406873 FindFirstFileW,FindClose, |
0_2_00406873 |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_0040290B FindFirstFileW, |
0_2_0040290B |
Source: Malware configuration extractor |
URLs: https://bangladeshshoecity.com/im |
Source: cP5nXH8fQI.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: cP5nXH8fQI.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
Source: cP5nXH8fQI.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
Source: cP5nXH8fQI.exe |
String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
Source: cP5nXH8fQI.exe |
String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: cP5nXH8fQI.exe |
String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
Source: cP5nXH8fQI.exe |
String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: cP5nXH8fQI.exe |
String found in binary or memory: http://ocsp.digicert.com0C |
Source: cP5nXH8fQI.exe |
String found in binary or memory: http://ocsp.digicert.com0O |
Source: cP5nXH8fQI.exe |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: cP5nXH8fQI.exe |
String found in binary or memory: https://www.digicert.com/CPS0 |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, |
0_2_004056DE |
Source: cP5nXH8fQI.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
0_2_0040352D |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_0040755C |
0_2_0040755C |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_00406D85 |
0_2_00406D85 |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_70581BFF |
0_2_70581BFF |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_0294559A |
0_2_0294559A |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_02943A95 |
0_2_02943A95 |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_02945881 |
0_2_02945881 |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_029452F8 |
0_2_029452F8 |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_02940217 |
0_2_02940217 |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_02945435 |
0_2_02945435 |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_0294744F |
0_2_0294744F |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_0294767A |
0_2_0294767A |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_0294719A |
0_2_0294719A |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_029441F1 |
0_2_029441F1 |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_029439FE |
0_2_029439FE |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_029415FB |
0_2_029415FB |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_02946D17 |
0_2_02946D17 |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_02943B22 |
0_2_02943B22 |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_02943D5A |
0_2_02943D5A |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_0294734F |
0_2_0294734F |
Source: cP5nXH8fQI.exe |
Static PE information: invalid certificate |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_0294559A NtAllocateVirtualMemory, |
0_2_0294559A |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_029452F8 NtAllocateVirtualMemory, |
0_2_029452F8 |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Process Stats: CPU usage > 98% |
Source: cP5nXH8fQI.exe |
Virustotal: Detection: 10% |
Source: cP5nXH8fQI.exe |
ReversingLabs: Detection: 18% |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
File read: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Jump to behavior |
Source: cP5nXH8fQI.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
0_2_0040352D |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
File created: C:\Users\user\AppData\Local\Temp\nsr50D.tmp |
Jump to behavior |
Source: classification engine |
Classification label: mal68.troj.winEXE@1/3@0/0 |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_004021AA CoCreateInstance, |
0_2_004021AA |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, |
0_2_0040498A |
Source: cP5nXH8fQI.exe |
Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: Yara match |
File source: 00000000.00000002.767624973.0000000002940000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_705830C0 push eax; ret |
0_2_705830EE |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_02942EF0 push es; iretd |
0_2_02942EF3 |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_70581BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, |
0_2_70581BFF |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
File created: C:\Users\user\AppData\Local\Temp\nss731.tmp\System.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_029450C4 rdtsc |
0_2_029450C4 |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
0_2_00405C49 |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_00406873 FindFirstFileW,FindClose, |
0_2_00406873 |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_0040290B FindFirstFileW, |
0_2_0040290B |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_0294689E mov eax, dword ptr fs:[00000030h] |
0_2_0294689E |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_0294744F mov eax, dword ptr fs:[00000030h] |
0_2_0294744F |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_02944F83 mov eax, dword ptr fs:[00000030h] |
0_2_02944F83 |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_02946BA0 mov eax, dword ptr fs:[00000030h] |
0_2_02946BA0 |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_70581BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, |
0_2_70581BFF |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_029450C4 rdtsc |
0_2_029450C4 |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_0294809F RtlAddVectoredExceptionHandler, |
0_2_0294809F |
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe |
Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
0_2_0040352D |