Windows Analysis Report
Order_002376662-579588_Date 24082022.exe

Overview

General Information

Sample Name: Order_002376662-579588_Date 24082022.exe
Analysis ID: 694559
MD5: 8c2a59bd88b7e2c26045a604ed544288
SHA1: 7efb014d57608ff6a2805baf4dd7c150792e6eb4
SHA256: 0d4b100e641aad426a916cb326d20f8fe44e32ca38f7a85c505135036c6b44af
Infos:

Detection

GuLoader
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Snort IDS alert for network traffic
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses 32bit PE files
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Creates files inside the system directory
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality for execution timing, often used to detect debuggers
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Order_002376662-579588_Date 24082022.exe Virustotal: Detection: 49% Perma Link
Source: Order_002376662-579588_Date 24082022.exe Metadefender: Detection: 27% Perma Link
Source: Order_002376662-579588_Date 24082022.exe ReversingLabs: Detection: 65%
Uses 32bit PE files
Source: Order_002376662-579588_Date 24082022.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Platooned\Ananthropism Jump to behavior
Source: Order_002376662-579588_Date 24082022.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: D:\SourceCode\GC3.GPUPowerSaving\production_V4.2.12.3\Service\ConfigEditorCS\obj\Release\GPUPowerSavingConfigEditor.pdb source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_00405861 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 2_2_00405861
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0040639C FindFirstFileA,FindClose, 2_2_0040639C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_004026F8 FindFirstFileA, 2_2_004026F8

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2012811 ET DNS Query to a .tk domain - Likely Hostile 192.168.11.20:50882 -> 1.1.1.1:53
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.11.20:49785 -> 45.8.132.92:80
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Order_002376662-579588_Date 24082022.exe String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: Order_002376662-579588_Date 24082022.exe String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: Order_002376662-579588_Date 24082022.exe String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: CasPol.exe, 00000004.00000002.27549982400.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.27550375683.000000000110E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.24024275041.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.27550277584.00000000010FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mnhckm.tk/ExpCRBJHZ225.u32
Source: CasPol.exe, 00000004.00000002.27549674764.000000000108B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mnhckm.tk/ExpCRBJHZ225.u32%dkm(
Source: CasPol.exe, 00000004.00000002.27549982400.00000000010C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mnhckm.tk/ExpCRBJHZ225.u324
Source: CasPol.exe, 00000004.00000002.27549862711.00000000010B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mnhckm.tk/ExpCRBJHZ225.u328c-95ce0233a7ccF_zm
Source: CasPol.exe, 00000004.00000002.27549862711.00000000010B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mnhckm.tk/ExpCRBJHZ225.u328c-95ce0233a7ccs
Source: CasPol.exe, 00000004.00000002.27549862711.00000000010B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mnhckm.tk/ExpCRBJHZ225.u328c-95ce0233a7ccv
Source: CasPol.exe, 00000004.00000002.27549674764.000000000108B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mnhckm.tk/ExpCRBJHZ225.u32Ie
Source: CasPol.exe, 00000004.00000002.27549982400.00000000010C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mnhckm.tk/ExpCRBJHZ225.u32L
Source: CasPol.exe, 00000004.00000002.27549674764.000000000108B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mnhckm.tk/ExpCRBJHZ225.u32Se
Source: CasPol.exe, 00000004.00000002.27549674764.000000000108B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mnhckm.tk/ExpCRBJHZ225.u32ee
Source: CasPol.exe, 00000004.00000002.27549982400.00000000010C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mnhckm.tk/ExpCRBJHZ225.u32v
Source: Order_002376662-579588_Date 24082022.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Order_002376662-579588_Date 24082022.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Order_002376662-579588_Date 24082022.exe String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: Order_002376662-579588_Date 24082022.exe String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: Order_002376662-579588_Date 24082022.exe String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: Order_002376662-579588_Date 24082022.exe String found in binary or memory: http://subca.ocsp-certum.com01
Source: Order_002376662-579588_Date 24082022.exe String found in binary or memory: http://subca.ocsp-certum.com02
Source: Order_002376662-579588_Date 24082022.exe String found in binary or memory: http://subca.ocsp-certum.com05
Source: Order_002376662-579588_Date 24082022.exe String found in binary or memory: http://www.certum.pl/CPS0
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: unknown DNS traffic detected: queries for: mnhckm.tk
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_004052FE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 2_2_004052FE

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Order_002376662-579588_Date 24082022.exe
Uses 32bit PE files
Source: Order_002376662-579588_Date 24082022.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0040330D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 2_2_0040330D
Creates files inside the system directory
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe File created: C:\Windows\resources\0409 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_00406725 2_2_00406725
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_00404B3D 2_2_00404B3D
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03510E99 2_2_03510E99
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350035C 2_2_0350035C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350035E 2_2_0350035E
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500340 2_2_03500340
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500B43 2_2_03500B43
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500344 2_2_03500344
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500F46 2_2_03500F46
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500748 2_2_03500748
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03507B48 2_2_03507B48
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350674B 2_2_0350674B
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03501B4C 2_2_03501B4C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500F71 2_2_03500F71
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03501B7F 2_2_03501B7F
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350676B 2_2_0350676B
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350A311 2_2_0350A311
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500316 2_2_03500316
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350A71A 2_2_0350A71A
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350031D 2_2_0350031D
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350031F 2_2_0350031F
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03511B01 2_2_03511B01
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500B00 2_2_03500B00
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03501B05 2_2_03501B05
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03506306 2_2_03506306
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500331 2_2_03500331
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350A331 2_2_0350A331
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500333 2_2_03500333
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500335 2_2_03500335
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500337 2_2_03500337
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500339 2_2_03500339
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350033B 2_2_0350033B
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350033E 2_2_0350033E
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500321 2_2_03500321
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500323 2_2_03500323
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500325 2_2_03500325
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500327 2_2_03500327
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350032A 2_2_0350032A
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350032C 2_2_0350032C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350032E 2_2_0350032E
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03512F2F 2_2_03512F2F
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_035003D2 2_2_035003D2
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350A3DE 2_2_0350A3DE
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03501BC3 2_2_03501BC3
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500FC8 2_2_03500FC8
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500BED 2_2_03500BED
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500396 2_2_03500396
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350A788 2_2_0350A788
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500789 2_2_03500789
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350078D 2_2_0350078D
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500B8F 2_2_03500B8F
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500BB2 2_2_03500BB2
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_035063B2 2_2_035063B2
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_035007B6 2_2_035007B6
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_035003A5 2_2_035003A5
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350AFA8 2_2_0350AFA8
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500E5F 2_2_03500E5F
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03506641 2_2_03506641
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03501A42 2_2_03501A42
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500675 2_2_03500675
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500260 2_2_03500260
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350AA62 2_2_0350AA62
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03502A69 2_2_03502A69
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03501E6D 2_2_03501E6D
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03502A6E 2_2_03502A6E
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500A6F 2_2_03500A6F
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03506615 2_2_03506615
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350AA16 2_2_0350AA16
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500E1C 2_2_03500E1C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350021D 2_2_0350021D
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350621F 2_2_0350621F
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03501A0F 2_2_03501A0F
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03506636 2_2_03506636
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500639 2_2_03500639
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350A623 2_2_0350A623
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350AA2D 2_2_0350AA2D
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03501E2E 2_2_03501E2E
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500ED0 2_2_03500ED0
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350A6D2 2_2_0350A6D2
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_035002D6 2_2_035002D6
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_035066DE 2_2_035066DE
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03507AC3 2_2_03507AC3
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03501AC9 2_2_03501AC9
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_035066F0 2_2_035066F0
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500EF3 2_2_03500EF3
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03501AFA 2_2_03501AFA
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_035006FB 2_2_035006FB
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500299 2_2_03500299
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03501A81 2_2_03501A81
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03506286 2_2_03506286
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03510A8C 2_2_03510A8C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03501EB4 2_2_03501EB4
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500ABA 2_2_03500ABA
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_035006BC 2_2_035006BC
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03506EBD 2_2_03506EBD
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_035066A3 2_2_035066A3
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03507AA7 2_2_03507AA7
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350095B 2_2_0350095B
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350015C 2_2_0350015C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500D5D 2_2_03500D5D
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03506148 2_2_03506148
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03507D4C 2_2_03507D4C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350A578 2_2_0350A578
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350196C 2_2_0350196C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03506510 2_2_03506510
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03501916 2_2_03501916
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500119 2_2_03500119
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350091D 2_2_0350091D
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350050B 2_2_0350050B
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500D3A 2_2_03500D3A
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350653A 2_2_0350653A
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03501D24 2_2_03501D24
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03501926 2_2_03501926
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03511927 2_2_03511927
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_035019D0 2_2_035019D0
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500DD0 2_2_03500DD0
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_035079D3 2_2_035079D3
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_035001D7 2_2_035001D7
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_035005FB 2_2_035005FB
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_035079FC 2_2_035079FC
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_035061EC 2_2_035061EC
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03501DEF 2_2_03501DEF
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350199E 2_2_0350199E
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0351258D 2_2_0351258D
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350058C 2_2_0350058C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350018E 2_2_0350018E
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350058E 2_2_0350058E
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03501DB6 2_2_03501DB6
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500DA3 2_2_03500DA3
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500050 2_2_03500050
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350AC45 2_2_0350AC45
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03506047 2_2_03506047
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03514446 2_2_03514446
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03511474 2_2_03511474
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03506077 2_2_03506077
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500478 2_2_03500478
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03501C7A 2_2_03501C7A
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03507C60 2_2_03507C60
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500862 2_2_03500862
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03506466 2_2_03506466
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500013 2_2_03500013
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500001 2_2_03500001
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500403 2_2_03500403
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350B00C 2_2_0350B00C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500831 2_2_03500831
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500C3B 2_2_03500C3B
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350743D 2_2_0350743D
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_035000D3 2_2_035000D3
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_035004D4 2_2_035004D4
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_035008D8 2_2_035008D8
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350A4CD 2_2_0350A4CD
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350A0F8 2_2_0350A0F8
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03501CEE 2_2_03501CEE
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500499 2_2_03500499
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350089E 2_2_0350089E
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03500CB6 2_2_03500CB6
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03514ADD NtResumeThread, 2_2_03514ADD
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03514446 NtResumeThread, 2_2_03514446
PE file does not import any functions
Source: GPUPowerSavingConfigEditor.dll.2.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameGPUPowerSavingConfigEditor.dll< vs Order_002376662-579588_Date 24082022.exe
PE file contains strange resources
Source: Order_002376662-579588_Date 24082022.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Order_002376662-579588_Date 24082022.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: edgegdi.dll Jump to behavior
PE / OLE file has an invalid certificate
Source: Order_002376662-579588_Date 24082022.exe Static PE information: invalid certificate
Source: Order_002376662-579588_Date 24082022.exe Virustotal: Detection: 49%
Source: Order_002376662-579588_Date 24082022.exe Metadefender: Detection: 27%
Source: Order_002376662-579588_Date 24082022.exe ReversingLabs: Detection: 65%
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe File read: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Jump to behavior
Source: Order_002376662-579588_Date 24082022.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe "C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe"
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe"
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0040330D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 2_2_0040330D
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe File created: C:\Users\user\AppData\Local\Temp\nsq713A.tmp Jump to behavior
Source: classification engine Classification label: mal80.troj.evad.winEXE@4/7@1/1
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_004020CB CoCreateInstance,MultiByteToWideChar, 2_2_004020CB
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_004045CA GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 2_2_004045CA
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4392:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4392:120:WilError_03
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Platooned\Ananthropism Jump to behavior
Source: Order_002376662-579588_Date 24082022.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: D:\SourceCode\GC3.GPUPowerSaving\production_V4.2.12.3\Service\ConfigEditorCS\obj\Release\GPUPowerSavingConfigEditor.pdb source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000004.00000000.22683438457.0000000000F70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.27549390202.0000000000F70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_10002D20 push eax; ret 2_2_10002D4E
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03509BC5 push eax; ret 2_2_03509BD6
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_035093CA push edx; retf 2_2_035093CB
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_035043FC push 0000007Ah; iretd 2_2_03504410
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03507B92 push es; iretd 2_2_03507BCF
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03508E54 pushad ; retf 2_2_03508EFC
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350C24D push ss; ret 2_2_0350C2B6
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350C278 push ss; ret 2_2_0350C2B6
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03509209 push edi; ret 2_2_0350923C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03508E23 pushad ; retf 2_2_03508EFC
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350815E push ebx; ret 2_2_035081AE
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03509DA3 push esi; ret 2_2_03509DA4
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03508852 push cs; iretd 2_2_0350893B
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_035080F8 push ebx; ret 2_2_035081AE
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03505099 push eax; iretd 2_2_0350509A
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03508CB9 pushad ; retf 2_2_03508EFC
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_035088AC push cs; iretd 2_2_0350893B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 4_2_00F73270 push ecx; ret 4_2_00F73281
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 4_2_00F77A4E push cs; ret 4_2_00F77A50
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 4_2_00F70817 push cs; retf 4_2_00F70821
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 4_2_00F739C0 push 0000002Ah; iretd 4_2_00F739D2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 4_2_00F71F8B push esp; retf 4_2_00F71F99
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 2_2_10001A5D
Drops PE files
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dll Jump to dropped file
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe File created: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Noneffervescently.Cre Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Kalligraferendes Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Kalligraferendes\Quantisers Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Kalligraferendes\Quantisers\Aqua_20.bmp Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Forhaanet.Nab Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dll Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\face-cool.png Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79 Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79\iso_3166-1.json Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343143751.0000000003601000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.27550528953.00000000012B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343143751.0000000003601000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOKERNELBASE.DLLSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL
Source: CasPol.exe, 00000004.00000002.27550528953.00000000012B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOKERNELBASE.DLLSHELL32ADVAPI32TEMP=HTTP://MNHCKM.TK/EXPCRBJHZ225.U32
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 736 Thread sleep time: -90000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dll Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350275D rdtsc 2_2_0350275D
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_00405861 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 2_2_00405861
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0040639C FindFirstFileA,FindClose, 2_2_0040639C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_004026F8 FindFirstFileA, 2_2_004026F8
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe API call chain: ExitProcess graph end node
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343489480.0000000010059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343489480.0000000010059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343143751.0000000003601000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoKERNELBASE.DLLshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v2.0.50727\caspol.exewindir=\syswow64\iertutil.dll
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343489480.0000000010059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343489480.0000000010059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343489480.0000000010059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343489480.0000000010059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343489480.0000000010059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: CasPol.exe, 00000004.00000003.24024087034.00000000010E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: CasPol.exe, 00000004.00000002.27550528953.00000000012B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoKERNELBASE.DLLshell32advapi32TEMP=http://mnhckm.tk/ExpCRBJHZ225.u32
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343143751.0000000003601000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.27550528953.00000000012B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343489480.0000000010059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343489480.0000000010059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: CasPol.exe, 00000004.00000002.27549862711.00000000010B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343489480.0000000010059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343489480.0000000010059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 2_2_10001A5D
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350275D rdtsc 2_2_0350275D
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350AB49 mov eax, dword ptr fs:[00000030h] 2_2_0350AB49
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350A311 mov eax, dword ptr fs:[00000030h] 2_2_0350A311
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03512F2F mov eax, dword ptr fs:[00000030h] 2_2_03512F2F
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03510E7B mov eax, dword ptr fs:[00000030h] 2_2_03510E7B
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350AA62 mov eax, dword ptr fs:[00000030h] 2_2_0350AA62
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350AA16 mov eax, dword ptr fs:[00000030h] 2_2_0350AA16
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350AA2D mov eax, dword ptr fs:[00000030h] 2_2_0350AA2D
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350AC45 mov ebx, dword ptr fs:[00000030h] 2_2_0350AC45
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350AC45 mov eax, dword ptr fs:[00000030h] 2_2_0350AC45
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03506047 mov eax, dword ptr fs:[00000030h] 2_2_03506047
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350DC7B mov eax, dword ptr fs:[00000030h] 2_2_0350DC7B
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350AC04 mov eax, dword ptr fs:[00000030h] 2_2_0350AC04
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0350AC9B mov ebx, dword ptr fs:[00000030h] 2_2_0350AC9B
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_03510E99 LdrLoadDll, 2_2_03510E99

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe base: F70000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe Code function: 2_2_0040330D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 2_2_0040330D
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 694559 Sample: Order_002376662-579588_Date... Startdate: 31/08/2022 Architecture: WINDOWS Score: 80 22 mnhckm.tk 2->22 26 Snort IDS alert for network traffic 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 Yara detected GuLoader 2->30 32 2 other signatures 2->32 8 Order_002376662-579588_Date 24082022.exe 4 46 2->8         started        signatures3 process4 file5 18 C:\Users\...behaviorgraphPUPowerSavingConfigEditor.dll, PE32+ 8->18 dropped 20 C:\Users\user\AppData\Local\...\System.dll, PE32 8->20 dropped 34 Writes to foreign memory regions 8->34 36 Tries to detect Any.run 8->36 12 CasPol.exe 7 8->12         started        signatures6 process7 dnsIp8 24 mnhckm.tk 45.8.132.92, 80 ASDETUKhttpwwwheficedcomGB Germany 12->24 38 Tries to detect Any.run 12->38 16 conhost.exe 12->16         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.8.132.92
 mnhckm.tk Germany
61317 ASDETUKhttpwwwheficedcomGB false

Contacted Domains

Name IP Active
mnhckm.tk 45.8.132.92 true