Source: 00000000.00000002.764364094.0000000002A50000.00000040.00000800.00020000.00000000.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://bangladeshshoecity.com/images/2w"} |
Source: 9u4xTDR5bG.exe |
Virustotal: Detection: 31% |
Perma Link |
Source: 9u4xTDR5bG.exe |
ReversingLabs: Detection: 44% |
Source: 9u4xTDR5bG.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: 9u4xTDR5bG.exe |
Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
0_2_00405C49 |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_00406873 FindFirstFileW,FindClose, |
0_2_00406873 |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_0040290B FindFirstFileW, |
0_2_0040290B |
Source: Malware configuration extractor |
URLs: https://bangladeshshoecity.com/images/2w |
Source: 9u4xTDR5bG.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: 9u4xTDR5bG.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
Source: 9u4xTDR5bG.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
Source: 9u4xTDR5bG.exe |
String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
Source: 9u4xTDR5bG.exe |
String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: 9u4xTDR5bG.exe |
String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
Source: 9u4xTDR5bG.exe |
String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: 9u4xTDR5bG.exe |
String found in binary or memory: http://ocsp.digicert.com0C |
Source: 9u4xTDR5bG.exe |
String found in binary or memory: http://ocsp.digicert.com0O |
Source: 9u4xTDR5bG.exe |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: 9u4xTDR5bG.exe |
String found in binary or memory: https://www.digicert.com/CPS0 |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, |
0_2_004056DE |
Source: 9u4xTDR5bG.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
0_2_0040352D |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_0040755C |
0_2_0040755C |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_00406D85 |
0_2_00406D85 |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_73201BFF |
0_2_73201BFF |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_02A55694 |
0_2_02A55694 |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_02A53CAF |
0_2_02A53CAF |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_02A54EDA |
0_2_02A54EDA |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_02A57839 |
0_2_02A57839 |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_02A5521F |
0_2_02A5521F |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_02A57658 |
0_2_02A57658 |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_02A55982 |
0_2_02A55982 |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_02A53B8F |
0_2_02A53B8F |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_02A5279C |
0_2_02A5279C |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_02A53FE2 |
0_2_02A53FE2 |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_02A57564 |
0_2_02A57564 |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_02A52749 |
0_2_02A52749 |
Source: 9u4xTDR5bG.exe |
Static PE information: invalid certificate |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_02A55694 NtAllocateVirtualMemory, |
0_2_02A55694 |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Process Stats: CPU usage > 98% |
Source: 9u4xTDR5bG.exe |
Virustotal: Detection: 31% |
Source: 9u4xTDR5bG.exe |
ReversingLabs: Detection: 44% |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
File read: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Jump to behavior |
Source: 9u4xTDR5bG.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
0_2_0040352D |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
File created: C:\Users\user\AppData\Local\Temp\nsl4A9B.tmp |
Jump to behavior |
Source: classification engine |
Classification label: mal72.troj.evad.winEXE@1/3@0/0 |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_004021AA CoCreateInstance, |
0_2_004021AA |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, |
0_2_0040498A |
Source: 9u4xTDR5bG.exe |
Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: Yara match |
File source: 00000000.00000002.764364094.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_732030C0 push eax; ret |
0_2_732030EE |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_73201BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, |
0_2_73201BFF |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
File created: C:\Users\user\AppData\Local\Temp\nsm4CBF.tmp\System.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
RDTSC instruction interceptor: First address: 0000000002A551C3 second address: 0000000002A551C3 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 42A4596Fh 0x00000007 sub eax, FBADDA8Dh 0x0000000c xor eax, 87ED79C8h 0x00000011 xor eax, C11B072Bh 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F151CAE4FDEh 0x0000001e lfence 0x00000021 mov edx, B78E5550h 0x00000026 xor edx, 614933DAh 0x0000002c add edx, 0CEF4ABFh 0x00000032 xor edx, 9C48B15Dh 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e test dx, bx 0x00000041 sub edx, esi 0x00000043 ret 0x00000044 pop ecx 0x00000045 cmp ch, 0000007Eh 0x00000048 add edi, edx 0x0000004a dec ecx 0x0000004b mov dword ptr [ebp+00000227h], 169B01A4h 0x00000055 xor dword ptr [ebp+00000227h], BF933C27h 0x0000005f fnop 0x00000061 sub dword ptr [ebp+00000227h], B3AFC749h 0x0000006b xor dword ptr [ebp+00000227h], F558763Ah 0x00000075 cmp ecx, dword ptr [ebp+00000227h] 0x0000007b jne 00007F151CAE4F85h 0x0000007d mov dword ptr [ebp+0000024Ch], esi 0x00000083 mov esi, ecx 0x00000085 push esi 0x00000086 mov esi, dword ptr [ebp+0000024Ch] 0x0000008c call 00007F151CAE503Fh 0x00000091 call 00007F151CAE4FFFh 0x00000096 lfence 0x00000099 mov edx, B78E5550h 0x0000009e xor edx, 614933DAh 0x000000a4 add edx, 0CEF4ABFh 0x000000aa xor edx, 9C48B15Dh 0x000000b0 mov edx, dword ptr [edx] 0x000000b2 lfence 0x000000b5 ret 0x000000b6 mov esi, edx 0x000000b8 pushad 0x000000b9 rdtsc |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_02A5542A rdtsc |
0_2_02A5542A |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
0_2_00405C49 |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_00406873 FindFirstFileW,FindClose, |
0_2_00406873 |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_0040290B FindFirstFileW, |
0_2_0040290B |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_02A550A9 mov eax, dword ptr fs:[00000030h] |
0_2_02A550A9 |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_02A56CD9 mov eax, dword ptr fs:[00000030h] |
0_2_02A56CD9 |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_02A56A06 mov eax, dword ptr fs:[00000030h] |
0_2_02A56A06 |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_02A537EC mov eax, dword ptr fs:[00000030h] |
0_2_02A537EC |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_02A57564 mov eax, dword ptr fs:[00000030h] |
0_2_02A57564 |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_73201BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, |
0_2_73201BFF |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_02A5542A rdtsc |
0_2_02A5542A |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_02A58130 RtlAddVectoredExceptionHandler, |
0_2_02A58130 |
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe |
Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
0_2_0040352D |