Windows Analysis Report
E-DEKONT.exe

Overview

General Information

Sample Name: E-DEKONT.exe
Analysis ID: 755881
MD5: 0aa36eb080cf7171cec271b2cd4d2108
SHA1: eb7f3bf8e15ae16e765e480510d2260a9e9facb8
SHA256: 6ca208edbc718f737f74ee0a631ed22cd2bf67a0db679d9d1702575c087550cc
Tags: exegeoTUR
Infos:

Detection

GuLoader
Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
Uses 32bit PE files
Drops PE files
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Stores files to the Windows start menu directory
Contains functionality to dynamically determine API calls
Abnormal high CPU Usage
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: E-DEKONT.exe Virustotal: Detection: 26% Perma Link
Source: E-DEKONT.exe ReversingLabs: Detection: 20%
Uses 32bit PE files
Source: E-DEKONT.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\E-DEKONT.exe Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fivefoldness\Endosseringerne\Fouragen Jump to behavior
Source: E-DEKONT.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\E-DEKONT.exe Code function: 0_2_004065C5 FindFirstFileW,FindClose, 0_2_004065C5
Source: C:\Users\user\Desktop\E-DEKONT.exe Code function: 0_2_00405990 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405990
Source: C:\Users\user\Desktop\E-DEKONT.exe Code function: 0_2_00402862 FindFirstFileW, 0_2_00402862
Source: E-DEKONT.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\E-DEKONT.exe Code function: 0_2_00405425 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405425
Uses 32bit PE files
Source: E-DEKONT.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\E-DEKONT.exe Code function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403373
Detected potential crypto function
Source: C:\Users\user\Desktop\E-DEKONT.exe Code function: 0_2_00404C62 0_2_00404C62
Source: C:\Users\user\Desktop\E-DEKONT.exe Code function: 0_2_00406ADD 0_2_00406ADD
Source: C:\Users\user\Desktop\E-DEKONT.exe Code function: 0_2_004072B4 0_2_004072B4
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\E-DEKONT.exe Process Stats: CPU usage > 98%
Source: E-DEKONT.exe Virustotal: Detection: 26%
Source: E-DEKONT.exe ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\E-DEKONT.exe File read: C:\Users\user\Desktop\E-DEKONT.exe Jump to behavior
Source: E-DEKONT.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\E-DEKONT.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\E-DEKONT.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\E-DEKONT.exe Code function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403373
Source: C:\Users\user\Desktop\E-DEKONT.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg Jump to behavior
Source: C:\Users\user\Desktop\E-DEKONT.exe File created: C:\Users\user\AppData\Local\Temp\nsx124F.tmp Jump to behavior
Source: classification engine Classification label: mal60.troj.evad.winEXE@1/6@0/0
Source: C:\Users\user\Desktop\E-DEKONT.exe Code function: 0_2_004020FE CoCreateInstance, 0_2_004020FE
Source: C:\Users\user\Desktop\E-DEKONT.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\E-DEKONT.exe Code function: 0_2_004046E6 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004046E6
Source: C:\Users\user\Desktop\E-DEKONT.exe Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fivefoldness\Endosseringerne\Fouragen Jump to behavior
Source: E-DEKONT.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.815535912.0000000002980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\E-DEKONT.exe Code function: 0_2_10002DE0 push eax; ret 0_2_10002E0E
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\E-DEKONT.exe Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_10001B18
Drops PE files
Source: C:\Users\user\Desktop\E-DEKONT.exe File created: C:\Users\user\AppData\Local\Temp\nsc1ED3.tmp\System.dll Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\E-DEKONT.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg Jump to behavior
Source: C:\Users\user\Desktop\E-DEKONT.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume Jump to behavior
Source: C:\Users\user\Desktop\E-DEKONT.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra Jump to behavior
Source: C:\Users\user\Desktop\E-DEKONT.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Internalisere Jump to behavior
Source: C:\Users\user\Desktop\E-DEKONT.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Internalisere\Brnesangen.End Jump to behavior
Source: C:\Users\user\Desktop\E-DEKONT.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\logicalization Jump to behavior
Source: C:\Users\user\Desktop\E-DEKONT.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\logicalization\libxml2-2.0.typelib Jump to behavior
Source: C:\Users\user\Desktop\E-DEKONT.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\logicalization\sgelngdernes.Dep74 Jump to behavior
Source: C:\Users\user\Desktop\E-DEKONT.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Sldede Jump to behavior
Source: C:\Users\user\Desktop\E-DEKONT.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Sldede\memstat.c Jump to behavior
Source: C:\Users\user\Desktop\E-DEKONT.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Sldede\selection-end-symbolic.symbolic.png Jump to behavior
Source: C:\Users\user\Desktop\E-DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\E-DEKONT.exe RDTSC instruction interceptor: First address: 0000000002982199 second address: 0000000002982199 instructions: 0x00000000 rdtsc 0x00000002 test bl, al 0x00000004 cmp bh, ch 0x00000006 cmp ebx, ecx 0x00000008 jc 00007FC854E72952h 0x0000000a cmp eax, ecx 0x0000000c cmp bl, dl 0x0000000e inc ebp 0x0000000f inc ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\E-DEKONT.exe Code function: 0_2_004065C5 FindFirstFileW,FindClose, 0_2_004065C5
Source: C:\Users\user\Desktop\E-DEKONT.exe Code function: 0_2_00405990 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405990
Source: C:\Users\user\Desktop\E-DEKONT.exe Code function: 0_2_00402862 FindFirstFileW, 0_2_00402862
Source: C:\Users\user\Desktop\E-DEKONT.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\E-DEKONT.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\E-DEKONT.exe Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_10001B18
Source: C:\Users\user\Desktop\E-DEKONT.exe Code function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403373
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 755881 Sample: E-DEKONT.exe Startdate: 29/11/2022 Architecture: WINDOWS Score: 60 11 Multi AV Scanner detection for submitted file 2->11 13 Yara detected GuLoader 2->13 5 E-DEKONT.exe 2 33 2->5         started        process3 file4 9 C:\Users\user\AppData\Local\...\System.dll, PE32 5->9 dropped 15 Tries to detect virtualization through RDTSC time measurements 5->15 signatures5
No contacted IP infos