Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
E-DEKONT.exe

Overview

General Information

Sample Name:E-DEKONT.exe
Analysis ID:755881
MD5:0aa36eb080cf7171cec271b2cd4d2108
SHA1:eb7f3bf8e15ae16e765e480510d2260a9e9facb8
SHA256:6ca208edbc718f737f74ee0a631ed22cd2bf67a0db679d9d1702575c087550cc
Tags:exegeoTUR
Infos:

Detection

GuLoader
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
Uses 32bit PE files
Drops PE files
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Stores files to the Windows start menu directory
Contains functionality to dynamically determine API calls
Abnormal high CPU Usage
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • E-DEKONT.exe (PID: 3648 cmdline: C:\Users\user\Desktop\E-DEKONT.exe MD5: 0AA36EB080CF7171CEC271B2CD4D2108)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.815535912.0000000002980000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: E-DEKONT.exeVirustotal: Detection: 26%Perma Link
    Source: E-DEKONT.exeReversingLabs: Detection: 20%
    Source: E-DEKONT.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: C:\Users\user\Desktop\E-DEKONT.exeRegistry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fivefoldness\Endosseringerne\FouragenJump to behavior
    Source: E-DEKONT.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_004065C5 FindFirstFileW,FindClose,0_2_004065C5
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_00405990 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405990
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_00402862 FindFirstFileW,0_2_00402862
    Source: E-DEKONT.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_00405425 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405425
    Source: E-DEKONT.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403373
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_00404C620_2_00404C62
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_00406ADD0_2_00406ADD
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_004072B40_2_004072B4
    Source: C:\Users\user\Desktop\E-DEKONT.exeProcess Stats: CPU usage > 98%
    Source: E-DEKONT.exeVirustotal: Detection: 26%
    Source: E-DEKONT.exeReversingLabs: Detection: 20%
    Source: C:\Users\user\Desktop\E-DEKONT.exeFile read: C:\Users\user\Desktop\E-DEKONT.exeJump to behavior
    Source: E-DEKONT.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\E-DEKONT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\E-DEKONT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403373
    Source: C:\Users\user\Desktop\E-DEKONT.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\YdervggJump to behavior
    Source: C:\Users\user\Desktop\E-DEKONT.exeFile created: C:\Users\user\AppData\Local\Temp\nsx124F.tmpJump to behavior
    Source: classification engineClassification label: mal60.troj.evad.winEXE@1/6@0/0
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_004020FE CoCreateInstance,0_2_004020FE
    Source: C:\Users\user\Desktop\E-DEKONT.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_004046E6 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004046E6
    Source: C:\Users\user\Desktop\E-DEKONT.exeRegistry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fivefoldness\Endosseringerne\FouragenJump to behavior
    Source: E-DEKONT.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

    Data Obfuscation

    barindex
    Yara detected GuLoader
    Source: Yara matchFile source: 00000000.00000002.815535912.0000000002980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_10002DE0 push eax; ret 0_2_10002E0E
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_10001B18
    Source: C:\Users\user\Desktop\E-DEKONT.exeFile created: C:\Users\user\AppData\Local\Temp\nsc1ED3.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\E-DEKONT.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\YdervggJump to behavior
    Source: C:\Users\user\Desktop\E-DEKONT.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\SuperassumeJump to behavior
    Source: C:\Users\user\Desktop\E-DEKONT.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddraJump to behavior
    Source: C:\Users\user\Desktop\E-DEKONT.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\InternalisereJump to behavior
    Source: C:\Users\user\Desktop\E-DEKONT.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Internalisere\Brnesangen.EndJump to behavior
    Source: C:\Users\user\Desktop\E-DEKONT.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\logicalizationJump to behavior
    Source: C:\Users\user\Desktop\E-DEKONT.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\logicalization\libxml2-2.0.typelibJump to behavior
    Source: C:\Users\user\Desktop\E-DEKONT.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\logicalization\sgelngdernes.Dep74Jump to behavior
    Source: C:\Users\user\Desktop\E-DEKONT.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\SldedeJump to behavior
    Source: C:\Users\user\Desktop\E-DEKONT.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Sldede\memstat.cJump to behavior
    Source: C:\Users\user\Desktop\E-DEKONT.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Sldede\selection-end-symbolic.symbolic.pngJump to behavior
    Source: C:\Users\user\Desktop\E-DEKONT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Tries to detect virtualization through RDTSC time measurements
    Source: C:\Users\user\Desktop\E-DEKONT.exeRDTSC instruction interceptor: First address: 0000000002982199 second address: 0000000002982199 instructions: 0x00000000 rdtsc 0x00000002 test bl, al 0x00000004 cmp bh, ch 0x00000006 cmp ebx, ecx 0x00000008 jc 00007FC854E72952h 0x0000000a cmp eax, ecx 0x0000000c cmp bl, dl 0x0000000e inc ebp 0x0000000f inc ebx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_004065C5 FindFirstFileW,FindClose,0_2_004065C5
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_00405990 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405990
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_00402862 FindFirstFileW,0_2_00402862
    Source: C:\Users\user\Desktop\E-DEKONT.exeAPI call chain: ExitProcess graph end nodegraph_0-4602
    Source: C:\Users\user\Desktop\E-DEKONT.exeAPI call chain: ExitProcess graph end nodegraph_0-4604
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_10001B18
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403373

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts1
    Native API    		1
    Windows Service    		1
    Access Token Manipulation    		1
    Masquerading    		OS Credential Dumping1
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		Exfiltration Over Other Network Medium1
    Encrypted Channel    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
    System Shutdown/Reboot
    Default AccountsScheduled Task/Job1
    Registry Run Keys / Startup Folder    		1
    Windows Service    		1
    Access Token Manipulation    		LSASS Memory2
    File and Directory Discovery    		Remote Desktop Protocol1
    Clipboard Data    		Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)1
    Registry Run Keys / Startup Folder    		1
    Obfuscated Files or Information    		Security Account Manager13
    System Information Discovery    		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.