Windows Analysis Report
XShSI2OXaC.exe

Overview

General Information

Sample Name: XShSI2OXaC.exe
Analysis ID: 736966
MD5: b69c9170ffab277e1bd13fde891a5ae5
SHA1: 8928e5d360edbecd1547cf61831d4f055bed92af
SHA256: a81489460818664146f756543f081b702bcb69244ebf8f6a240b02b2357c577c
Tags: exesigned
Infos:

Detection

GuLoader
Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
Uses 32bit PE files
Drops PE files
Contains functionality to shutdown / reboot the system
Detected potential crypto function
PE / OLE file has an invalid certificate
Contains functionality to dynamically determine API calls
Abnormal high CPU Usage
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: XShSI2OXaC.exe ReversingLabs: Detection: 40%
Source: XShSI2OXaC.exe Virustotal: Detection: 8% Perma Link
Uses 32bit PE files
Source: XShSI2OXaC.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\XShSI2OXaC.exe Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\One Jump to behavior
Source: XShSI2OXaC.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\XShSI2OXaC.exe Code function: 0_2_00405B6C CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405B6C
Source: C:\Users\user\Desktop\XShSI2OXaC.exe Code function: 0_2_004028D5 FindFirstFileW, 0_2_004028D5
Source: C:\Users\user\Desktop\XShSI2OXaC.exe Code function: 0_2_0040679D FindFirstFileW,FindClose, 0_2_0040679D
Source: XShSI2OXaC.exe String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: XShSI2OXaC.exe String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: XShSI2OXaC.exe String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: XShSI2OXaC.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: XShSI2OXaC.exe String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: XShSI2OXaC.exe String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: XShSI2OXaC.exe String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
Source: XShSI2OXaC.exe String found in binary or memory: http://subca.ocsp-certum.com01
Source: XShSI2OXaC.exe String found in binary or memory: http://subca.ocsp-certum.com02
Source: XShSI2OXaC.exe String found in binary or memory: http://subca.ocsp-certum.com05
Source: XShSI2OXaC.exe String found in binary or memory: http://www.certum.pl/CPS0
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\XShSI2OXaC.exe Code function: 0_2_00405601 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405601
Uses 32bit PE files
Source: XShSI2OXaC.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\XShSI2OXaC.exe Code function: 0_2_0040350D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040350D
Detected potential crypto function
Source: C:\Users\user\Desktop\XShSI2OXaC.exe Code function: 0_2_00406B64 0_2_00406B64
Source: C:\Users\user\Desktop\XShSI2OXaC.exe Code function: 0_2_73791B5F 0_2_73791B5F
PE / OLE file has an invalid certificate
Source: XShSI2OXaC.exe Static PE information: invalid certificate
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\XShSI2OXaC.exe Process Stats: CPU usage > 98%
Source: XShSI2OXaC.exe ReversingLabs: Detection: 40%
Source: XShSI2OXaC.exe Virustotal: Detection: 8%
Source: C:\Users\user\Desktop\XShSI2OXaC.exe File read: C:\Users\user\Desktop\XShSI2OXaC.exe Jump to behavior
Source: XShSI2OXaC.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\XShSI2OXaC.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\XShSI2OXaC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\XShSI2OXaC.exe Code function: 0_2_0040350D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040350D
Source: C:\Users\user\Desktop\XShSI2OXaC.exe File created: C:\Users\user\AppData\Local\Temp\nsyA070.tmp Jump to behavior
Source: C:\Users\user\Desktop\XShSI2OXaC.exe File written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tonefilmsgengiveren\Contentness\Filialbestyrerens\Talkability\Platybrachycephalous\Plugin_Status.ini Jump to behavior
Source: classification engine Classification label: mal60.troj.evad.winEXE@1/6@0/0
Source: C:\Users\user\Desktop\XShSI2OXaC.exe Code function: 0_2_00402171 CoCreateInstance, 0_2_00402171
Source: C:\Users\user\Desktop\XShSI2OXaC.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\XShSI2OXaC.exe Code function: 0_2_004048B8 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004048B8
Source: C:\Users\user\Desktop\XShSI2OXaC.exe Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\One Jump to behavior
Source: XShSI2OXaC.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.777436198.0000000003220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\XShSI2OXaC.exe Code function: 0_2_73791B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_73791B5F
Drops PE files
Source: C:\Users\user\Desktop\XShSI2OXaC.exe File created: C:\Users\user\AppData\Local\Temp\nszA331.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\XShSI2OXaC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XShSI2OXaC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XShSI2OXaC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XShSI2OXaC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XShSI2OXaC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\XShSI2OXaC.exe RDTSC instruction interceptor: First address: 0000000003221D6F second address: 0000000003221D6F instructions: 0x00000000 rdtsc 0x00000002 test ch, 00000040h 0x00000005 cmp ebx, ecx 0x00000007 jc 00007F6E649CF979h 0x0000000d test cx, bx 0x00000010 inc ebp 0x00000011 cmp ax, cx 0x00000014 inc ebx 0x00000015 jmp 00007F6E649CFB35h 0x0000001a test bx, dx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\XShSI2OXaC.exe Code function: 0_2_00405B6C CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405B6C
Source: C:\Users\user\Desktop\XShSI2OXaC.exe Code function: 0_2_004028D5 FindFirstFileW, 0_2_004028D5
Source: C:\Users\user\Desktop\XShSI2OXaC.exe Code function: 0_2_0040679D FindFirstFileW,FindClose, 0_2_0040679D
Source: C:\Users\user\Desktop\XShSI2OXaC.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\XShSI2OXaC.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\XShSI2OXaC.exe Code function: 0_2_73791B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_73791B5F
Source: C:\Users\user\Desktop\XShSI2OXaC.exe Code function: 0_2_0040350D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040350D
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 736966 Sample: XShSI2OXaC.exe Startdate: 03/11/2022 Architecture: WINDOWS Score: 60 11 Multi AV Scanner detection for submitted file 2->11 13 Yara detected GuLoader 2->13 5 XShSI2OXaC.exe 6 35 2->5         started        process3 file4 9 C:\Users\user\AppData\Local\...\System.dll, PE32 5->9 dropped 15 Tries to detect virtualization through RDTSC time measurements 5->15 signatures5
No contacted IP infos