Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SdEkI4IDqd.exe

Overview

General Information

Sample Name:SdEkI4IDqd.exe
Analysis ID:559536
MD5:003a7c37f9c06d75aaaa6f9b25dc3c41
SHA1:a847ef8c72d26731963b189caff925a8a757d563
SHA256:4f29b22b6b787babc2f984172f8ae0e3999b7621aeb6775ce023f2ef5db0b2e7
Tags:exesigned
Infos:

Detection

GuLoader
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Drops PE files
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
PE / OLE file has an invalid certificate
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Contains functionality for read data from the clipboard

Classification

  • System is w10x64
  • SdEkI4IDqd.exe (PID: 5912 cmdline: "C:\Users\user\Desktop\SdEkI4IDqd.exe" MD5: 003A7C37F9C06D75AAAA6F9B25DC3C41)
  • cleanup
{"Payload URL": "https://dariamob.ro/wed/eee_XScUCMEVL47.bin"}
SourceRuleDescriptionAuthorStrings
00000001.00000002.823231609.0000000004300000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    No Sigma rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: 00000001.00000002.823231609.0000000004300000.00000040.00000800.00020000.00000000.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://dariamob.ro/wed/eee_XScUCMEVL47.bin"}
    Source: SdEkI4IDqd.exeReversingLabs: Detection: 11%
    Source: SdEkI4IDqd.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: SdEkI4IDqd.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,1_2_00405C49
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_00406873 FindFirstFileW,FindClose,1_2_00406873
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_0040290B FindFirstFileW,1_2_0040290B

    Networking

    barindex
    Source: Malware configuration extractorURLs: https://dariamob.ro/wed/eee_XScUCMEVL47.bin
    Source: SdEkI4IDqd.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    Source: SdEkI4IDqd.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
    Source: SdEkI4IDqd.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
    Source: SdEkI4IDqd.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
    Source: SdEkI4IDqd.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: SdEkI4IDqd.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
    Source: SdEkI4IDqd.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: SdEkI4IDqd.exeString found in binary or memory: http://ocsp.digicert.com0C
    Source: SdEkI4IDqd.exeString found in binary or memory: http://ocsp.digicert.com0O
    Source: SdEkI4IDqd.exeString found in binary or memory: http://www.digicert.com/CPS0
    Source: SdEkI4IDqd.exeString found in binary or memory: https://www.digicert.com/CPS0
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,1_2_004056DE
    Source: SdEkI4IDqd.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,1_2_0040352D
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_0040755C1_2_0040755C
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_00406D851_2_00406D85
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_702A1BFF1_2_702A1BFF
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_0430584A1_2_0430584A
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_043060341_2_04306034
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_04305E2F1_2_04305E2F
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_0430801C1_2_0430801C
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_043058551_2_04305855
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_04305CB01_2_04305CB0
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_043042ED1_2_043042ED
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_043082D01_2_043082D0
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_04304D3E1_2_04304D3E
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_04305B2F1_2_04305B2F
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_04307D7D1_2_04307D7D
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_043045431_2_04304543
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_0430554A1_2_0430554A
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_04306F881_2_04306F88
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_04305BD91_2_04305BD9
    Source: SdEkI4IDqd.exeStatic PE information: invalid certificate
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_0430584A NtAllocateVirtualMemory,1_2_0430584A
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_04305855 NtAllocateVirtualMemory,1_2_04305855
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeProcess Stats: CPU usage > 98%
    Source: SdEkI4IDqd.exeReversingLabs: Detection: 11%
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeFile read: C:\Users\user\Desktop\SdEkI4IDqd.exeJump to behavior
    Source: SdEkI4IDqd.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,1_2_0040352D
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeFile created: C:\Users\user\AppData\Local\Temp\nsp7CAF.tmpJump to behavior
    Source: classification engineClassification label: mal72.troj.evad.winEXE@1/3@0/0
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_004021AA CoCreateInstance,1_2_004021AA
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,1_2_0040498A
    Source: SdEkI4IDqd.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

    Data Obfuscation

    barindex
    Source: Yara matchFile source: 00000001.00000002.823231609.0000000004300000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_702A30C0 push eax; ret 1_2_702A30EE
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_04306436 push edi; retf 1_2_0430643E
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_0430300E push ecx; ret 1_2_0430300F
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_0430304F push es; retn 0010h1_2_0430305A
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_043010AF push edx; ret 1_2_043010B0
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_04306487 push esi; iretd 1_2_04306488
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_043007E3 push cs; retf 1_2_043007E5
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_702A1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,1_2_702A1BFF
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeFile created: C:\Users\user\AppData\Local\Temp\nsv7EA4.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeRDTSC instruction interceptor: First address: 0000000004307462 second address: 0000000004307462 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 767D2D08h 0x00000007 xor eax, 3DB3D81Dh 0x0000000c xor eax, 7DF81DA8h 0x00000011 add eax, C9C91744h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F71B8C8FACAh 0x0000001e lfence 0x00000021 mov edx, 719799E7h 0x00000026 xor edx, 4CF121DBh 0x0000002c add edx, F85B2DFFh 0x00000032 xor edx, 4A3FE62Fh 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d cmp ax, dx 0x00000040 cmp ebx, edx 0x00000042 ret 0x00000043 sub edx, esi 0x00000045 ret 0x00000046 add edi, edx 0x00000048 dec dword ptr [ebp+000000F8h] 0x0000004e cmp dword ptr [ebp+000000F8h], 00000000h 0x00000055 jne 00007F71B8C8FAACh 0x00000057 call 00007F71B8C8FB15h 0x0000005c call 00007F71B8C8FAEBh 0x00000061 lfence 0x00000064 mov edx, 719799E7h 0x00000069 xor edx, 4CF121DBh 0x0000006f add edx, F85B2DFFh 0x00000075 xor edx, 4A3FE62Fh 0x0000007b mov edx, dword ptr [edx] 0x0000007d lfence 0x00000080 cmp ax, dx 0x00000083 cmp ebx, edx 0x00000085 ret 0x00000086 mov esi, edx 0x00000088 pushad 0x00000089 rdtsc
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_0430745A rdtsc 1_2_0430745A
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,1_2_00405C49
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_00406873 FindFirstFileW,FindClose,1_2_00406873
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_0040290B FindFirstFileW,1_2_0040290B
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeAPI call chain: ExitProcess graph end nodegraph_1-6400
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeAPI call chain: ExitProcess graph end nodegraph_1-6556
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_04305429 mov eax, dword ptr fs:[00000030h]1_2_04305429
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_0430707C mov eax, dword ptr fs:[00000030h]1_2_0430707C
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_04307D7D mov eax, dword ptr fs:[00000030h]1_2_04307D7D
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_043041D3 mov eax, dword ptr fs:[00000030h]1_2_043041D3
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_04306BD6 mov eax, dword ptr fs:[00000030h]1_2_04306BD6
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_702A1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,1_2_702A1BFF
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_0430745A rdtsc 1_2_0430745A
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_043089CA RtlAddVectoredExceptionHandler,1_2_043089CA
    Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,1_2_0040352D
    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts1
    Native API
    Path Interception1
    Access Token Manipulation
    1
    Access Token Manipulation
    OS Credential Dumping11
    Security Software Discovery
    Remote Services1
    Archive Collected Data
    Exfiltration Over Other Network Medium1
    Encrypted Channel
    Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
    System Shutdown/Reboot
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
    Obfuscated Files or Information
    LSASS Memory2
    File and Directory Discovery
    Remote Desktop Protocol1
    Clipboard Data
    Exfiltration Over Bluetooth1
    Application Layer Protocol
    Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager13
    System Information Discovery
    SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.