Click to jump to signature section
Source: 00000000.00000002.784726043.00000000030B0000.00000040.00001000.00020000.00000000.sdmp | Malware Configuration Extractor: GuLoader {"Payload URL": "https://msdvc.com/oluwa_RcQBQnZSyJ230.bin"} |
Source: file.exe | Virustotal: Detection: 26% | Perma Link |
Source: file.exe | ReversingLabs: Detection: 21% |
Source: https://msdvc.com/oluwa_RcQBQnZSyJ230.bin | Avira URL Cloud: Label: malware |
Source: https://msdvc.com/oluwa_RcQBQnZSyJ230.bin | Virustotal: Detection: 5% | Perma Link |
Source: file.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: file.exe | Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: | Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\Config_Editor\obj\Release\ConfigXML_ScenarioProfile.pdb, source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr |
Source: | Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\Config_Editor\obj\Release\ConfigXML_ScenarioProfile.pdb source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr |
Source: | Binary string: MsMpCom.pdb source: file.exe, 00000000.00000002.783091463.000000000040A000.00000004.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.261521429.00000000027ED000.00000004.00000800.00020000.00000000.sdmp, MsMpCom.dll.0.dr |
Source: | Binary string: MsMpCom.pdbGCTL source: file.exe, 00000000.00000002.783091463.000000000040A000.00000004.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.261521429.00000000027ED000.00000004.00000800.00020000.00000000.sdmp, MsMpCom.dll.0.dr |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_0040683D FindFirstFileW,FindClose, |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_0040290B FindFirstFileW, |
Source: Malware configuration extractor | URLs: https://msdvc.com/oluwa_RcQBQnZSyJ230.bin |
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr | String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr | String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr | String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0 |
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr | String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b |
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr | String found in binary or memory: http://crl.globalsign.com/root.crl0G |
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr | String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr | String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr | String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr | String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
Source: file.exe | String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr | String found in binary or memory: http://ocsp.digicert.com0C |
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr | String found in binary or memory: http://ocsp.digicert.com0O |
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr | String found in binary or memory: http://ocsp.globalsign.com/rootr103 |
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr | String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U |
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr | String found in binary or memory: http://ocsp2.globalsign.com/rootr306 |
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr | String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0 |
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr | String found in binary or memory: http://www.digicert.com/CPS0 |
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr | String found in binary or memory: https://www.digicert.com/CPS0 |
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr | String found in binary or memory: https://www.globalsign.com/repository/0 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_004056A8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, |
Source: file.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameConfigXML_ScenarioProfile.dllT vs file.exe |
Source: file.exe, 00000000.00000003.261521429.00000000027ED000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameMsMpCom.dllj% vs file.exe |
Source: file.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00406BFE |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_72E61BFF |
Source: file.exe | Static PE information: invalid certificate |
Source: C:\Users\user\Desktop\file.exe | Process Stats: CPU usage > 98% |
Source: file.exe | Virustotal: Detection: 26% |
Source: file.exe | ReversingLabs: Detection: 21% |
Source: C:\Users\user\Desktop\file.exe | File read: C:\Users\user\Desktop\file.exe | Jump to behavior |
Source: file.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\file.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: C:\Users\user\Desktop\file.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
Source: C:\Users\user\Desktop\file.exe | File created: C:\Users\user\AppData\Local\Temp\nssEAB6.tmp | Jump to behavior |
Source: classification engine | Classification label: mal88.troj.evad.winEXE@1/6@0/0 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_004021AA CoCreateInstance, |
Source: C:\Users\user\Desktop\file.exe | File read: C:\Users\desktop.ini | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00404954 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, |
Source: file.exe | Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: | Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\Config_Editor\obj\Release\ConfigXML_ScenarioProfile.pdb, source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr |
Source: | Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\Config_Editor\obj\Release\ConfigXML_ScenarioProfile.pdb source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr |
Source: | Binary string: MsMpCom.pdb source: file.exe, 00000000.00000002.783091463.000000000040A000.00000004.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.261521429.00000000027ED000.00000004.00000800.00020000.00000000.sdmp, MsMpCom.dll.0.dr |
Source: | Binary string: MsMpCom.pdbGCTL source: file.exe, 00000000.00000002.783091463.000000000040A000.00000004.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.261521429.00000000027ED000.00000004.00000800.00020000.00000000.sdmp, MsMpCom.dll.0.dr |
Source: Yara match | File source: 00000000.00000002.784726043.00000000030B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_72E630C0 push eax; ret |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_72E61BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, |
Source: C:\Users\user\Desktop\file.exe | File created: C:\Users\user\AppData\Local\Temp\MsMpCom.dll | Jump to dropped file |
Source: C:\Users\user\Desktop\file.exe | File created: C:\Users\user\AppData\Local\Temp\ConfigXML_ScenarioProfile.dll | Jump to dropped file |
Source: C:\Users\user\Desktop\file.exe | File created: C:\Users\user\AppData\Local\Temp\nsaF229.tmp\System.dll | Jump to dropped file |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\file.exe | RDTSC instruction interceptor: First address: 00000000030BD9E3 second address: 00000000030BD9E3 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FD358363427h 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 cmp ax, dx 0x0000000b rdtsc |
Source: C:\Users\user\Desktop\file.exe | Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MsMpCom.dll | Jump to dropped file |
Source: C:\Users\user\Desktop\file.exe | Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ConfigXML_ScenarioProfile.dll | Jump to dropped file |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_0040683D FindFirstFileW,FindClose, |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_0040290B FindFirstFileW, |
Source: C:\Users\user\Desktop\file.exe | API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\file.exe | API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_72E61BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |