Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
E-DEKONT.exe

Overview

General Information

Sample Name:E-DEKONT.exe
Analysis ID:755881
MD5:0aa36eb080cf7171cec271b2cd4d2108
SHA1:eb7f3bf8e15ae16e765e480510d2260a9e9facb8
SHA256:6ca208edbc718f737f74ee0a631ed22cd2bf67a0db679d9d1702575c087550cc
Tags:exegeoTUR
Infos:

Detection

GuLoader
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
Uses 32bit PE files
Drops PE files
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Stores files to the Windows start menu directory
Contains functionality to dynamically determine API calls
Abnormal high CPU Usage
Contains functionality for read data from the clipboard

Classification

  • System is w10x64
  • E-DEKONT.exe (PID: 3648 cmdline: C:\Users\user\Desktop\E-DEKONT.exe MD5: 0AA36EB080CF7171CEC271B2CD4D2108)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000000.00000002.815535912.0000000002980000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    No Sigma rule has matched
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: E-DEKONT.exeVirustotal: Detection: 26%Perma Link
    Source: E-DEKONT.exeReversingLabs: Detection: 20%
    Source: E-DEKONT.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: C:\Users\user\Desktop\E-DEKONT.exeRegistry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fivefoldness\Endosseringerne\FouragenJump to behavior
    Source: E-DEKONT.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_004065C5 FindFirstFileW,FindClose,
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_00405990 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_00402862 FindFirstFileW,
    Source: E-DEKONT.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_00405425 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,
    Source: E-DEKONT.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_00404C62
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_00406ADD
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_004072B4
    Source: C:\Users\user\Desktop\E-DEKONT.exeProcess Stats: CPU usage > 98%
    Source: E-DEKONT.exeVirustotal: Detection: 26%
    Source: E-DEKONT.exeReversingLabs: Detection: 20%
    Source: C:\Users\user\Desktop\E-DEKONT.exeFile read: C:\Users\user\Desktop\E-DEKONT.exeJump to behavior
    Source: E-DEKONT.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\E-DEKONT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Users\user\Desktop\E-DEKONT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
    Source: C:\Users\user\Desktop\E-DEKONT.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\YdervggJump to behavior
    Source: C:\Users\user\Desktop\E-DEKONT.exeFile created: C:\Users\user\AppData\Local\Temp\nsx124F.tmpJump to behavior
    Source: classification engineClassification label: mal60.troj.evad.winEXE@1/6@0/0
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_004020FE CoCreateInstance,
    Source: C:\Users\user\Desktop\E-DEKONT.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_004046E6 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,
    Source: C:\Users\user\Desktop\E-DEKONT.exeRegistry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fivefoldness\Endosseringerne\FouragenJump to behavior
    Source: E-DEKONT.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

    Data Obfuscation

    barindex
    Source: Yara matchFile source: 00000000.00000002.815535912.0000000002980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_10002DE0 push eax; ret
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,
    Source: C:\Users\user\Desktop\E-DEKONT.exeFile created: C:\Users\user\AppData\Local\Temp\nsc1ED3.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\E-DEKONT.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\YdervggJump to behavior
    Source: C:\Users\user\Desktop\E-DEKONT.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\SuperassumeJump to behavior
    Source: C:\Users\user\Desktop\E-DEKONT.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddraJump to behavior
    Source: C:\Users\user\Desktop\E-DEKONT.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\InternalisereJump to behavior
    Source: C:\Users\user\Desktop\E-DEKONT.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Internalisere\Brnesangen.EndJump to behavior
    Source: C:\Users\user\Desktop\E-DEKONT.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\logicalizationJump to behavior
    Source: C:\Users\user\Desktop\E-DEKONT.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\logicalization\libxml2-2.0.typelibJump to behavior
    Source: C:\Users\user\Desktop\E-DEKONT.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\logicalization\sgelngdernes.Dep74Jump to behavior
    Source: C:\Users\user\Desktop\E-DEKONT.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\SldedeJump to behavior
    Source: C:\Users\user\Desktop\E-DEKONT.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Sldede\memstat.cJump to behavior
    Source: C:\Users\user\Desktop\E-DEKONT.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Sldede\selection-end-symbolic.symbolic.pngJump to behavior
    Source: C:\Users\user\Desktop\E-DEKONT.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion

    barindex
    Source: C:\Users\user\Desktop\E-DEKONT.exeRDTSC instruction interceptor: First address: 0000000002982199 second address: 0000000002982199 instructions: 0x00000000 rdtsc 0x00000002 test bl, al 0x00000004 cmp bh, ch 0x00000006 cmp ebx, ecx 0x00000008 jc 00007FC854E72952h 0x0000000a cmp eax, ecx 0x0000000c cmp bl, dl 0x0000000e inc ebp 0x0000000f inc ebx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_004065C5 FindFirstFileW,FindClose,
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_00405990 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_00402862 FindFirstFileW,
    Source: C:\Users\user\Desktop\E-DEKONT.exeAPI call chain: ExitProcess graph end node
    Source: C:\Users\user\Desktop\E-DEKONT.exeAPI call chain: ExitProcess graph end node
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,
    Source: C:\Users\user\Desktop\E-DEKONT.exeCode function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts1
    Native API
    1
    Windows Service
    1
    Access Token Manipulation
    1
    Masquerading
    OS Credential Dumping1
    Security Software Discovery
    Remote Services1
    Archive Collected Data
    Exfiltration Over Other Network Medium1
    Encrypted Channel
    Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
    System Shutdown/Reboot
    Default AccountsScheduled Task/Job1
    Registry Run Keys / Startup Folder
    1
    Windows Service
    1
    Access Token Manipulation
    LSASS Memory2
    File and Directory Discovery
    Remote Desktop Protocol1
    Clipboard Data
    Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)1
    Registry Run Keys / Startup Folder
    1
    Obfuscated Files or Information
    Security Account Manager13
    System Information Discovery
    SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.