Source: 00000000.00000002.896769853.0000000002D00000.00000040.00000001.00040000.00000007.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1VssbX_L5DESUoNwRHcbF42fii8wzHqEA"} |
Source: xcVh7ZmH4Y.exe |
Metadefender: Detection: 22% |
Perma Link |
Source: xcVh7ZmH4Y.exe |
ReversingLabs: Detection: 39% |
Source: xcVh7ZmH4Y.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: xcVh7ZmH4Y.exe |
Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: |
Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\ServiceSDK\Release\ScenarioProfilePlugIn\AsOpenFile.pdb source: xcVh7ZmH4Y.exe, 00000000.00000002.895018034.000000000040D000.00000004.00000001.01000000.00000003.sdmp, AsOpenFile.exe.0.dr |
Source: |
Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\ServiceSDK\Release\ScenarioProfilePlugIn\AsOpenFile.pdb,,)GCTL source: xcVh7ZmH4Y.exe, 00000000.00000002.895018034.000000000040D000.00000004.00000001.01000000.00000003.sdmp, AsOpenFile.exe.0.dr |
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe |
Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
0_2_00405C49 |
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe |
Code function: 0_2_00406873 FindFirstFileW,FindClose, |
0_2_00406873 |
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe |
Code function: 0_2_0040290B FindFirstFileW, |
0_2_0040290B |
Source: Malware configuration extractor |
URLs: https://drive.google.com/uc?export=download&id=1VssbX_L5DESUoNwRHcbF42fii8wzHqEA |
Source: AsOpenFile.exe.0.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: AsOpenFile.exe.0.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
Source: xcVh7ZmH4Y.exe, 00000000.00000002.895018034.000000000040D000.00000004.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://crl.F |
Source: AsOpenFile.exe.0.dr |
String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0 |
Source: AsOpenFile.exe.0.dr |
String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b |
Source: xcVh7ZmH4Y.exe, 00000000.00000002.895018034.000000000040D000.00000004.00000001.01000000.00000003.sdmp, AsOpenFile.exe.0.dr |
String found in binary or memory: http://crl.globalsign.com/root.crl0G |
Source: AsOpenFile.exe.0.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
Source: AsOpenFile.exe.0.dr |
String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
Source: AsOpenFile.exe.0.dr |
String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: AsOpenFile.exe.0.dr |
String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
Source: xcVh7ZmH4Y.exe |
String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: AsOpenFile.exe.0.dr |
String found in binary or memory: http://ocsp.digicert.com0C |
Source: AsOpenFile.exe.0.dr |
String found in binary or memory: http://ocsp.digicert.com0O |
Source: xcVh7ZmH4Y.exe, 00000000.00000002.895018034.000000000040D000.00000004.00000001.01000000.00000003.sdmp, AsOpenFile.exe.0.dr |
String found in binary or memory: http://ocsp.globalsign.com/rootr103 |
Source: AsOpenFile.exe.0.dr |
String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U |
Source: xcVh7ZmH4Y.exe, 00000000.00000002.895018034.000000000040D000.00000004.00000001.01000000.00000003.sdmp, AsOpenFile.exe.0.dr |
String found in binary or memory: http://ocsp2.globalsign.com/rootr306 |
Source: AsOpenFile.exe.0.dr |
String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0 |
Source: AsOpenFile.exe.0.dr |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: AsOpenFile.exe.0.dr |
String found in binary or memory: https://www.digicert.com/CPS0 |
Source: xcVh7ZmH4Y.exe, 00000000.00000002.895018034.000000000040D000.00000004.00000001.01000000.00000003.sdmp, AsOpenFile.exe.0.dr |
String found in binary or memory: https://www.globalsign.com/repository/0 |
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe |
Code function: 0_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, |
0_2_004056DE |
Source: xcVh7ZmH4Y.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: xcVh7ZmH4Y.exe, 00000000.00000002.895018034.000000000040D000.00000004.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameAsOpenFile.exeL vs xcVh7ZmH4Y.exe |
Source: xcVh7ZmH4Y.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: AsOpenFile.exe.0.dr |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe |
Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
0_2_0040352D |
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe |
Code function: 0_2_0040755C |
0_2_0040755C |
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe |
Code function: 0_2_00406D85 |
0_2_00406D85 |
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe |
Code function: 0_2_73541BFF |
0_2_73541BFF |
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe |
Process Stats: CPU usage > 98% |
Source: xcVh7ZmH4Y.exe |
Metadefender: Detection: 22% |
Source: xcVh7ZmH4Y.exe |
ReversingLabs: Detection: 39% |
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe |
File read: C:\Users\user\Desktop\xcVh7ZmH4Y.exe |
Jump to behavior |
Source: xcVh7ZmH4Y.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe |
Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
0_2_0040352D |
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe |
File created: C:\Users\user\AppData\Local\Temp\nsg70C8.tmp |
Jump to behavior |
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe |
File written: C:\Users\user\AppData\Local\Temp\duperinger.ini |
Jump to behavior |
Source: classification engine |
Classification label: mal80.troj.evad.winEXE@1/7@0/0 |
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe |
Code function: 0_2_004021AA CoCreateInstance, |
0_2_004021AA |
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe |
Code function: 0_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, |
0_2_0040498A |
Source: xcVh7ZmH4Y.exe |
Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: |
Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\ServiceSDK\Release\ScenarioProfilePlugIn\AsOpenFile.pdb source: xcVh7ZmH4Y.exe, 00000000.00000002.895018034.000000000040D000.00000004.00000001.01000000.00000003.sdmp, AsOpenFile.exe.0.dr |
Source: |
Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\ServiceSDK\Release\ScenarioProfilePlugIn\AsOpenFile.pdb,,)GCTL source: xcVh7ZmH4Y.exe, 00000000.00000002.895018034.000000000040D000.00000004.00000001.01000000.00000003.sdmp, AsOpenFile.exe.0.dr |
Source: Yara match |
File source: 00000000.00000002.896769853.0000000002D00000.00000040.00000001.00040000.00000007.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe |
Code function: 0_2_735430C0 push eax; ret |
0_2_735430EE |
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe |
Code function: 0_2_73541BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, |
0_2_73541BFF |
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe |
File created: C:\Users\user\AppData\Local\Temp\AsOpenFile.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe |
File created: C:\Users\user\AppData\Local\Temp\nss732B.tmp\System.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe |
Registry key monitored for changes: HKEY_CURRENT_USER_Classes |
Jump to behavior |
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe |
RDTSC instruction interceptor: First address: 0000000002D05B85 second address: 0000000002D05B85 instructions: 0x00000000 rdtsc 0x00000002 cmp bx, dx 0x00000005 test ch, bh 0x00000007 cmp ebx, ecx 0x00000009 jc 00007F51ECBB244Dh 0x0000000b inc ebp 0x0000000c test edi, 09E7C1CFh 0x00000012 inc ebx 0x00000013 cmp ah, dh 0x00000015 rdtsc |
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe |
Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AsOpenFile.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe |
Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
0_2_00405C49 |
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe |
Code function: 0_2_00406873 FindFirstFileW,FindClose, |
0_2_00406873 |
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe |
Code function: 0_2_0040290B FindFirstFileW, |
0_2_0040290B |
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe |
API call chain: ExitProcess graph end node |
Source: xcVh7ZmH4Y.exe, 00000000.00000002.895956305.0000000000731000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe |
Code function: 0_2_73541BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, |
0_2_73541BFF |
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe |
Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
0_2_0040352D |