Windows Analysis Report
SdEkI4IDqd.exe

Overview

General Information

Sample Name: SdEkI4IDqd.exe
Analysis ID: 559536
MD5: 003a7c37f9c06d75aaaa6f9b25dc3c41
SHA1: a847ef8c72d26731963b189caff925a8a757d563
SHA256: 4f29b22b6b787babc2f984172f8ae0e3999b7621aeb6775ce023f2ef5db0b2e7
Tags: exesigned
Infos:

Detection

GuLoader
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Drops PE files
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
PE / OLE file has an invalid certificate
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Found malware configuration
Source: 00000001.00000002.823231609.0000000004300000.00000040.00000800.00020000.00000000.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://dariamob.ro/wed/eee_XScUCMEVL47.bin"}
Multi AV Scanner detection for submitted file
Source: SdEkI4IDqd.exe ReversingLabs: Detection: 11%

Compliance
barindex
Uses 32bit PE files
Source: SdEkI4IDqd.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: SdEkI4IDqd.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 1_2_00405C49
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_00406873 FindFirstFileW,FindClose, 1_2_00406873
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_0040290B FindFirstFileW, 1_2_0040290B

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://dariamob.ro/wed/eee_XScUCMEVL47.bin
Source: SdEkI4IDqd.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SdEkI4IDqd.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: SdEkI4IDqd.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SdEkI4IDqd.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: SdEkI4IDqd.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SdEkI4IDqd.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: SdEkI4IDqd.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: SdEkI4IDqd.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: SdEkI4IDqd.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: SdEkI4IDqd.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: SdEkI4IDqd.exe String found in binary or memory: https://www.digicert.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 1_2_004056DE

System Summary
barindex
Uses 32bit PE files
Source: SdEkI4IDqd.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_0040352D
Detected potential crypto function
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_0040755C 1_2_0040755C
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_00406D85 1_2_00406D85
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_702A1BFF 1_2_702A1BFF
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_0430584A 1_2_0430584A
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_04306034 1_2_04306034
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_04305E2F 1_2_04305E2F
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_0430801C 1_2_0430801C
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_04305855 1_2_04305855
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_04305CB0 1_2_04305CB0
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_043042ED 1_2_043042ED
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_043082D0 1_2_043082D0
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_04304D3E 1_2_04304D3E
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_04305B2F 1_2_04305B2F
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_04307D7D 1_2_04307D7D
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_04304543 1_2_04304543
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_0430554A 1_2_0430554A
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_04306F88 1_2_04306F88
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_04305BD9 1_2_04305BD9
PE / OLE file has an invalid certificate
Source: SdEkI4IDqd.exe Static PE information: invalid certificate
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_0430584A NtAllocateVirtualMemory, 1_2_0430584A
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_04305855 NtAllocateVirtualMemory, 1_2_04305855
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Process Stats: CPU usage > 98%
Source: SdEkI4IDqd.exe ReversingLabs: Detection: 11%
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe File read: C:\Users\user\Desktop\SdEkI4IDqd.exe Jump to behavior
Source: SdEkI4IDqd.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_0040352D
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe File created: C:\Users\user\AppData\Local\Temp\nsp7CAF.tmp Jump to behavior
Source: classification engine Classification label: mal72.troj.evad.winEXE@1/3@0/0
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_004021AA CoCreateInstance, 1_2_004021AA
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 1_2_0040498A
Source: SdEkI4IDqd.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.823231609.0000000004300000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_702A30C0 push eax; ret 1_2_702A30EE
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_04306436 push edi; retf 1_2_0430643E
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_0430300E push ecx; ret 1_2_0430300F
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_0430304F push es; retn 0010h 1_2_0430305A
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_043010AF push edx; ret 1_2_043010B0
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_04306487 push esi; iretd 1_2_04306488
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_043007E3 push cs; retf 1_2_043007E5
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_702A1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 1_2_702A1BFF

Persistence and Installation Behavior
barindex
Drops PE files
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe File created: C:\Users\user\AppData\Local\Temp\nsv7EA4.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe RDTSC instruction interceptor: First address: 0000000004307462 second address: 0000000004307462 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 767D2D08h 0x00000007 xor eax, 3DB3D81Dh 0x0000000c xor eax, 7DF81DA8h 0x00000011 add eax, C9C91744h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F71B8C8FACAh 0x0000001e lfence 0x00000021 mov edx, 719799E7h 0x00000026 xor edx, 4CF121DBh 0x0000002c add edx, F85B2DFFh 0x00000032 xor edx, 4A3FE62Fh 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d cmp ax, dx 0x00000040 cmp ebx, edx 0x00000042 ret 0x00000043 sub edx, esi 0x00000045 ret 0x00000046 add edi, edx 0x00000048 dec dword ptr [ebp+000000F8h] 0x0000004e cmp dword ptr [ebp+000000F8h], 00000000h 0x00000055 jne 00007F71B8C8FAACh 0x00000057 call 00007F71B8C8FB15h 0x0000005c call 00007F71B8C8FAEBh 0x00000061 lfence 0x00000064 mov edx, 719799E7h 0x00000069 xor edx, 4CF121DBh 0x0000006f add edx, F85B2DFFh 0x00000075 xor edx, 4A3FE62Fh 0x0000007b mov edx, dword ptr [edx] 0x0000007d lfence 0x00000080 cmp ax, dx 0x00000083 cmp ebx, edx 0x00000085 ret 0x00000086 mov esi, edx 0x00000088 pushad 0x00000089 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_0430745A rdtsc 1_2_0430745A
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 1_2_00405C49
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_00406873 FindFirstFileW,FindClose, 1_2_00406873
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_0040290B FindFirstFileW, 1_2_0040290B
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe API call chain: ExitProcess graph end node

Anti Debugging
barindex
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_04305429 mov eax, dword ptr fs:[00000030h] 1_2_04305429
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_0430707C mov eax, dword ptr fs:[00000030h] 1_2_0430707C
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_04307D7D mov eax, dword ptr fs:[00000030h] 1_2_04307D7D
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_043041D3 mov eax, dword ptr fs:[00000030h] 1_2_043041D3
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_04306BD6 mov eax, dword ptr fs:[00000030h] 1_2_04306BD6
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_702A1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 1_2_702A1BFF
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_0430745A rdtsc 1_2_0430745A
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_043089CA RtlAddVectoredExceptionHandler, 1_2_043089CA
Source: C:\Users\user\Desktop\SdEkI4IDqd.exe Code function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_0040352D
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 559536 Sample: SdEkI4IDqd.exe Startdate: 25/01/2022 Architecture: WINDOWS Score: 72 13 Found malware configuration 2->13 15 Multi AV Scanner detection for submitted file 2->15 17 Yara detected GuLoader 2->17 19 C2 URLs / IPs found in malware configuration 2->19 5 SdEkI4IDqd.exe 19 2->5         started        process3 file4 9 C:\Users\user\AppData\Local\...\System.dll, PE32 5->9 dropped 11 C:\Users\user\...\OVERROMANTICIZED.dat, DOS 5->11 dropped 21 Tries to detect virtualization through RDTSC time measurements 5->21 signatures5
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://dariamob.ro/wed/eee_XScUCMEVL47.bin true
  • Avira URL Cloud: safe
 unknown