Edit tour

Windows Analysis Report
CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Overview

General Information

Sample Name:	CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Analysis ID:	736949
MD5:	045f22ce9be3d33b07a00780ee66fcfd
SHA1:	91b74e75d55c33d8d82b10bed51ca7d3ad80147c
SHA256:	e05ec32c2edc10b6917a3cbcac9d823cb37db908cc51f3ec459800992e2b8b37
Infos:

Detection

GuLoader

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected GuLoader

Initial sample is a PE file and has a suspicious name

Tries to detect Any.run

Executable has a suspicious name (potential lure to open the executable)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses 32bit PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Queries the volume information (name, serial number etc) of a device

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Sleep loop found (likely to delay execution)

Detected potential crypto function

PE / OLE file has an invalid certificate

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Creates a process in suspended mode (likely to inject code)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64native

CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe (PID: 4848 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 045F22CE9BE3D33B07A00780EE66FCFD)

dllhost.exe (PID: 2364 cmdline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

backgroundTaskHost.exe (PID: 4408 cmdline: "C:\WINDOWS\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca MD5: DA7063B17DBB8BBB3015351016868006)

dllhost.exe (PID: 4508 cmdline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

BackgroundTransferHost.exe (PID: 4480 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: C5D813D92E83CDE3FECD9343933E3421)

BackgroundTransferHost.exe (PID: 5560 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: C5D813D92E83CDE3FECD9343933E3421)

ieinstal.exe (PID: 5400 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ieinstal.exe (PID: 1820 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ieinstal.exe (PID: 6908 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ieinstal.exe (PID: 1396 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ieinstal.exe (PID: 4268 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ieinstal.exe (PID: 4772 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ieinstal.exe (PID: 7620 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ieinstal.exe (PID: 6588 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ieinstal.exe (PID: 3156 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ieinstal.exe (PID: 5924 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ieinstal.exe (PID: 3988 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ielowutil.exe (PID: 7732 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 650FE7460630188008BF8C8153526CEB)

ielowutil.exe (PID: 4760 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 650FE7460630188008BF8C8153526CEB)

ielowutil.exe (PID: 7756 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 650FE7460630188008BF8C8153526CEB)

ielowutil.exe (PID: 4612 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 650FE7460630188008BF8C8153526CEB)

ielowutil.exe (PID: 3852 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 650FE7460630188008BF8C8153526CEB)

ielowutil.exe (PID: 6596 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 650FE7460630188008BF8C8153526CEB)

ielowutil.exe (PID: 6516 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 650FE7460630188008BF8C8153526CEB)

ielowutil.exe (PID: 7348 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 650FE7460630188008BF8C8153526CEB)

ielowutil.exe (PID: 7808 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 650FE7460630188008BF8C8153526CEB)

ielowutil.exe (PID: 7380 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 650FE7460630188008BF8C8153526CEB)

ExtExport.exe (PID: 5404 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 3253FD643C51C133C3489A146781913B)

ExtExport.exe (PID: 7588 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 3253FD643C51C133C3489A146781913B)

ExtExport.exe (PID: 5708 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 3253FD643C51C133C3489A146781913B)

ExtExport.exe (PID: 8104 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 3253FD643C51C133C3489A146781913B)

ExtExport.exe (PID: 1160 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 3253FD643C51C133C3489A146781913B)

ExtExport.exe (PID: 6700 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 3253FD643C51C133C3489A146781913B)

ExtExport.exe (PID: 6248 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 3253FD643C51C133C3489A146781913B)

ExtExport.exe (PID: 5524 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 3253FD643C51C133C3489A146781913B)

ExtExport.exe (PID: 5904 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 3253FD643C51C133C3489A146781913B)

backgroundTaskHost.exe (PID: 5840 cmdline: "C:\WINDOWS\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca MD5: DA7063B17DBB8BBB3015351016868006)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bestyrelsesformanden

Jump to behavior

Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_0040676F FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_00405B23 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_00402902 FindFirstFileW,

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	File opened: C:\Users\user
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	File opened: C:\Users\user\AppData
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: imprbeacons.dat.~tmp.4.dr	String found in binary or memory: https://arc.msn.com/v3/Delivery/Events/Impression=&PID=400089837&TID=700129702&CID=12800000000040292
Source: e9594213-9e57-49dd-91fb-0ee2aae6c086.56802ae0-e7ec-49c1-9ab4-e41cf1ffbd66.down_meta.7.dr, aa790838-db48-4eec-9b8a-be8242eb173a.56802ae0-e7ec-49c1-9ab4-e41cf1ffbd66.down_meta.7.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4XJ8e?ver=993fLast-Mo
Source: fce64348-a319-4f43-89cb-85a2ff3766b6.5e70bb71-9767-4cfd-9295-d09782f797ca.down_meta.7.dr, dd6a1354-220a-435c-9960-7f2e2f731c6f.5e70bb71-9767-4cfd-9295-d09782f797ca.down_meta.7.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Y3Xg?ver=4bf1Content
Source: 8086b025-ce16-4435-9cc3-d2a0f33fe026.efb8d39c-14d5-4f68-9688-1978db758a90.down_meta.7.dr, 585053d0-ba98-49e5-b1a4-c6f5d9974c26.efb8d39c-14d5-4f68-9688-1978db758a90.down_meta.7.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Ysjy?ver=4a06Content
Source: 4aa5b1fb-1301-4194-8203-1cbb67304ae7.e160842f-d7d2-487c-becb-ff7f735e3216.down_meta.7.dr, b554ff5d-428f-46a5-8fa9-db35cc2cdf59.e160842f-d7d2-487c-becb-ff7f735e3216.down_meta.7.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4YzZS?ver=7b46Content
Source: 8d48d2a6-6a56-420d-bb18-5dfe26c1259c.c22ac765-aa10-4c35-8f7c-a01d4239152c.down_meta.7.dr, f9e08879-735a-4e9f-beea-148234195053.c22ac765-aa10-4c35-8f7c-a01d4239152c.down_meta.7.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWEDKu?ver=7737Content-
Source: 3843bffb-4eef-4da1-af04-618c0facc656.e7219a3a-5edb-4393-8e4b-a78a641e7e36.down_meta.7.dr, 0f40a9a4-7ba9-4798-b98b-f18214009bbd.e7219a3a-5edb-4393-8e4b-a78a641e7e36.down_meta.7.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWEyIE?ver=7beaLast-Mod
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	String found in binary or memory: https://www.globalsign.com/repository/0

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Code function: 2_2_004055B8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Executable has a suspicious name (potential lure to open the executable)

Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Static file information: Suspicious name

Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\BackgroundTransferHost.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\BackgroundTransferHost.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: edgegdi.dll

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Code function: 2_2_004034C5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_00407458
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_00406C81
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_73841B5F
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02BA5E2E
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02BA709F
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02BA9A9D
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02BA5C89
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B936F6
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02BA76EE
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B934E5
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02BA88D2
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B93ACC
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02BA7223
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02BA8C76
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02BA844B
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02BA75B8
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02BA5FA7
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B96B99
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B92593
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B96397
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02BA7D89
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B96BFD
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B96BF6
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B943EE
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02BA7BE0
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B96BE2
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B96138
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B9333A
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02BA6334
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B93123
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B93F22
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B90318
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02BA851B
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B9310D
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B96176
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02BA596B
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B93153
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B96355
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B96556
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 2_2_02B94347

Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Static PE information: invalid certificate

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Code function: 2_2_02BA871D NtProtectVirtualMemory,

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

File read: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Jump to behavior

Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Source: unknown	Process created: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Windows\System32\backgroundTaskHost.exe "C:\WINDOWS\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Process created: C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-029939

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Windows Analysis Report
CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe