Source: 00000001.00000002.823231609.0000000004300000.00000040.00000800.00020000.00000000.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://dariamob.ro/wed/eee_XScUCMEVL47.bin"} |
Source: SdEkI4IDqd.exe |
ReversingLabs: Detection: 11% |
Source: SdEkI4IDqd.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: SdEkI4IDqd.exe |
Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
1_2_00405C49 |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_00406873 FindFirstFileW,FindClose, |
1_2_00406873 |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_0040290B FindFirstFileW, |
1_2_0040290B |
Source: Malware configuration extractor |
URLs: https://dariamob.ro/wed/eee_XScUCMEVL47.bin |
Source: SdEkI4IDqd.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: SdEkI4IDqd.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
Source: SdEkI4IDqd.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
Source: SdEkI4IDqd.exe |
String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
Source: SdEkI4IDqd.exe |
String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: SdEkI4IDqd.exe |
String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
Source: SdEkI4IDqd.exe |
String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: SdEkI4IDqd.exe |
String found in binary or memory: http://ocsp.digicert.com0C |
Source: SdEkI4IDqd.exe |
String found in binary or memory: http://ocsp.digicert.com0O |
Source: SdEkI4IDqd.exe |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: SdEkI4IDqd.exe |
String found in binary or memory: https://www.digicert.com/CPS0 |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, |
1_2_004056DE |
Source: SdEkI4IDqd.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
1_2_0040352D |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_0040755C |
1_2_0040755C |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_00406D85 |
1_2_00406D85 |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_702A1BFF |
1_2_702A1BFF |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_0430584A |
1_2_0430584A |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_04306034 |
1_2_04306034 |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_04305E2F |
1_2_04305E2F |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_0430801C |
1_2_0430801C |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_04305855 |
1_2_04305855 |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_04305CB0 |
1_2_04305CB0 |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_043042ED |
1_2_043042ED |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_043082D0 |
1_2_043082D0 |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_04304D3E |
1_2_04304D3E |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_04305B2F |
1_2_04305B2F |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_04307D7D |
1_2_04307D7D |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_04304543 |
1_2_04304543 |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_0430554A |
1_2_0430554A |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_04306F88 |
1_2_04306F88 |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_04305BD9 |
1_2_04305BD9 |
Source: SdEkI4IDqd.exe |
Static PE information: invalid certificate |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_0430584A NtAllocateVirtualMemory, |
1_2_0430584A |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_04305855 NtAllocateVirtualMemory, |
1_2_04305855 |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Process Stats: CPU usage > 98% |
Source: SdEkI4IDqd.exe |
ReversingLabs: Detection: 11% |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
File read: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Jump to behavior |
Source: SdEkI4IDqd.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
1_2_0040352D |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
File created: C:\Users\user\AppData\Local\Temp\nsp7CAF.tmp |
Jump to behavior |
Source: classification engine |
Classification label: mal72.troj.evad.winEXE@1/3@0/0 |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_004021AA CoCreateInstance, |
1_2_004021AA |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, |
1_2_0040498A |
Source: SdEkI4IDqd.exe |
Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: Yara match |
File source: 00000001.00000002.823231609.0000000004300000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_702A30C0 push eax; ret |
1_2_702A30EE |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_04306436 push edi; retf |
1_2_0430643E |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_0430300E push ecx; ret |
1_2_0430300F |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_0430304F push es; retn 0010h |
1_2_0430305A |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_043010AF push edx; ret |
1_2_043010B0 |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_04306487 push esi; iretd |
1_2_04306488 |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_043007E3 push cs; retf |
1_2_043007E5 |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_702A1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, |
1_2_702A1BFF |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
File created: C:\Users\user\AppData\Local\Temp\nsv7EA4.tmp\System.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
RDTSC instruction interceptor: First address: 0000000004307462 second address: 0000000004307462 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 767D2D08h 0x00000007 xor eax, 3DB3D81Dh 0x0000000c xor eax, 7DF81DA8h 0x00000011 add eax, C9C91744h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F71B8C8FACAh 0x0000001e lfence 0x00000021 mov edx, 719799E7h 0x00000026 xor edx, 4CF121DBh 0x0000002c add edx, F85B2DFFh 0x00000032 xor edx, 4A3FE62Fh 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d cmp ax, dx 0x00000040 cmp ebx, edx 0x00000042 ret 0x00000043 sub edx, esi 0x00000045 ret 0x00000046 add edi, edx 0x00000048 dec dword ptr [ebp+000000F8h] 0x0000004e cmp dword ptr [ebp+000000F8h], 00000000h 0x00000055 jne 00007F71B8C8FAACh 0x00000057 call 00007F71B8C8FB15h 0x0000005c call 00007F71B8C8FAEBh 0x00000061 lfence 0x00000064 mov edx, 719799E7h 0x00000069 xor edx, 4CF121DBh 0x0000006f add edx, F85B2DFFh 0x00000075 xor edx, 4A3FE62Fh 0x0000007b mov edx, dword ptr [edx] 0x0000007d lfence 0x00000080 cmp ax, dx 0x00000083 cmp ebx, edx 0x00000085 ret 0x00000086 mov esi, edx 0x00000088 pushad 0x00000089 rdtsc |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_0430745A rdtsc |
1_2_0430745A |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
1_2_00405C49 |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_00406873 FindFirstFileW,FindClose, |
1_2_00406873 |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_0040290B FindFirstFileW, |
1_2_0040290B |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_04305429 mov eax, dword ptr fs:[00000030h] |
1_2_04305429 |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_0430707C mov eax, dword ptr fs:[00000030h] |
1_2_0430707C |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_04307D7D mov eax, dword ptr fs:[00000030h] |
1_2_04307D7D |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_043041D3 mov eax, dword ptr fs:[00000030h] |
1_2_043041D3 |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_04306BD6 mov eax, dword ptr fs:[00000030h] |
1_2_04306BD6 |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_702A1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, |
1_2_702A1BFF |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_0430745A rdtsc |
1_2_0430745A |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_043089CA RtlAddVectoredExceptionHandler, |
1_2_043089CA |
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe |
Code function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
1_2_0040352D |