Windows Analysis Report
DHL04AWB01173903102023PDF.scr.exe

Overview

General Information

Sample Name: DHL04AWB01173903102023PDF.scr.exe
Analysis ID: 828071
MD5: 1bf124cc783ff47a91ada4e6d4ac9e6b
SHA1: b78f2ffb785071ab785830cdd4cbc5f010b7480b
SHA256: 494d5735144af171cc15708b37b491b74be1522494958e605ac348dd4897dcf9
Tags: DHLexeRemcosRATscrsigned
Infos:

Detection

GuLoader
Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
Found potential ransomware demand text
Uses 32bit PE files
PE file does not import any functions
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Binary contains a suspicious time stamp
Detected potential crypto function
PE / OLE file has an invalid certificate
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Abnormal high CPU Usage
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: DHL04AWB01173903102023PDF.scr.exe Virustotal: Detection: 13% Perma Link
Uses 32bit PE files
Source: DHL04AWB01173903102023PDF.scr.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Binary string: D:\SCM\P4\depot\esw\projects\azure\Maglev\DesignerBranches\ezheng\newarch\Vista-AddOn\ExtArch\UI\BtTray\libs\x64\ContactsApi.pdb source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, ContactsApi.dll.0.dr
Source: Binary string: D:\Builds\149\N2\HO_MMC_g_2016_r_2016\Sources\AudioPluginMgr\plugins\DefConvertor\Release\DefConvertor.pdb source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.000000000299F000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Code function: 0_2_00402706 FindFirstFileW, 0_2_00402706
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Code function: 0_2_0040572C CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_0040572C
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Code function: 0_2_004061E0 FindFirstFileW,FindClose, 0_2_004061E0
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: DHL04AWB01173903102023PDF.scr.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr String found in binary or memory: http://ocsp.thawte.com0
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr String found in binary or memory: http://s2.symcb.com0
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr String found in binary or memory: http://sv.symcd.com0&
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr String found in binary or memory: http://www.nero.com
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr String found in binary or memory: http://www.symauth.com/cps0(
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr String found in binary or memory: http://www.symauth.com/rpa00
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr String found in binary or memory: https://d.symcb.com/rpa0
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Code function: 0_2_00405290 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405290

Spam, unwanted Advertisements and Ransom Demands
barindex
Found potential ransomware demand text
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: __m2mep@?__global_unlock@?A0x27fb6efc@@$$FYA_NXZ
Source: nseEDA7.tmp.0.dr String found in binary or memory: __m2mep@?__global_unlock@?A0x27fb6efc@@$$FYA_NXZ
Source: ContactsApi.dll.0.dr String found in binary or memory: __m2mep@?__global_unlock@?A0x27fb6efc@@$$FYA_NXZ
Uses 32bit PE files
Source: DHL04AWB01173903102023PDF.scr.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
PE file does not import any functions
Source: msado25.tlb.0.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamemsado25.tlbj% vs DHL04AWB01173903102023PDF.scr.exe
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameStoressters.exe` vs DHL04AWB01173903102023PDF.scr.exe
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemsado25.tlbj% vs DHL04AWB01173903102023PDF.scr.exe
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.000000000299F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDefConvertor.DLL vs DHL04AWB01173903102023PDF.scr.exe
Source: DHL04AWB01173903102023PDF.scr.exe Binary or memory string: OriginalFilenameStoressters.exe` vs DHL04AWB01173903102023PDF.scr.exe
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Code function: 0_2_0040331C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040331C
Creates files inside the system directory
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe File created: C:\Windows\resources\0409 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Code function: 0_2_00404ACD 0_2_00404ACD
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Code function: 0_2_004064F2 0_2_004064F2
PE / OLE file has an invalid certificate
Source: DHL04AWB01173903102023PDF.scr.exe Static PE information: invalid certificate
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Process Stats: CPU usage > 98%
Source: DHL04AWB01173903102023PDF.scr.exe Virustotal: Detection: 13%
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe File read: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Jump to behavior
Source: DHL04AWB01173903102023PDF.scr.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe File created: C:\Users\user\Nonhieratical Jump to behavior
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe File created: C:\Users\user\AppData\Local\Temp\nseEDA6.tmp Jump to behavior
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe File written: C:\Users\user\Nonhieratical\Clavichordist\benenders\Actionfilm\Sortsrenheden\Z_Custom2.ini Jump to behavior
Source: classification engine Classification label: mal64.rans.troj.evad.winEXE@1/11@0/0
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Code function: 0_2_0040206A CoCreateInstance, 0_2_0040206A
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Code function: 0_2_00404587 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404587
Source: DHL04AWB01173903102023PDF.scr.exe Static file information: File size 1211760 > 1048576
Source: Binary string: D:\SCM\P4\depot\esw\projects\azure\Maglev\DesignerBranches\ezheng\newarch\Vista-AddOn\ExtArch\UI\BtTray\libs\x64\ContactsApi.pdb source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, ContactsApi.dll.0.dr
Source: Binary string: D:\Builds\149\N2\HO_MMC_g_2016_r_2016\Sources\AudioPluginMgr\plugins\DefConvertor\Release\DefConvertor.pdb source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.000000000299F000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.832197103.0000000006825000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Code function: 0_2_10002D50 push eax; ret 0_2_10002D7E
PE file contains sections with non-standard names
Source: ContactsApi.dll.0.dr Static PE information: section name: .nep
Binary contains a suspicious time stamp
Source: msado25.tlb.0.dr Static PE information: 0x8DBA1FD3 [Sun May 7 15:54:59 2045 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Code function: 0_2_00406207 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00406207
Drops PE files
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe File created: C:\Users\user\Nonhieratical\Extracorpuscular\APM_DefConvertor.dll Jump to dropped file
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe File created: C:\Users\user\Nonhieratical\Clavichordist\benenders\Actionfilm\Sortsrenheden\msado25.tlb Jump to dropped file
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe File created: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe File created: C:\Users\user\Nonhieratical\Thonny\Yderligheders\Samtalernes\Sikkerhedsventilen\ContactsApi.dll Jump to dropped file
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe RDTSC instruction interceptor: First address: 0000000006948C31 second address: 0000000006948C31 instructions: 0x00000000 rdtsc 0x00000002 cmp ecx, edx 0x00000004 cmp ecx, edx 0x00000006 cmp ebx, ecx 0x00000008 jc 00007F18C8FF67D2h 0x0000000a test ecx, edx 0x0000000c inc ebp 0x0000000d inc ebx 0x0000000e cmp ebx, eax 0x00000010 rdtsc
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Dropped PE file which has not been started: C:\Users\user\Nonhieratical\Extracorpuscular\APM_DefConvertor.dll Jump to dropped file
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Dropped PE file which has not been started: C:\Users\user\Nonhieratical\Clavichordist\benenders\Actionfilm\Sortsrenheden\msado25.tlb Jump to dropped file
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Dropped PE file which has not been started: C:\Users\user\Nonhieratical\Thonny\Yderligheders\Samtalernes\Sikkerhedsventilen\ContactsApi.dll Jump to dropped file
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Code function: 0_2_00402706 FindFirstFileW, 0_2_00402706
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Code function: 0_2_0040572C CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_0040572C
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Code function: 0_2_004061E0 FindFirstFileW,FindClose, 0_2_004061E0
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Code function: 0_2_00406207 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00406207
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe Code function: 0_2_00405EBF GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 0_2_00405EBF
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 828071 Sample: DHL04AWB01173903102023PDF.scr.exe Startdate: 16/03/2023 Architecture: WINDOWS Score: 64 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected GuLoader 2->19 21 Found potential ransomware demand text 2->21 5 DHL04AWB01173903102023PDF.scr.exe 2 43 2->5         started        process3 file4 9 C:\Users\user\...\ContactsApi.dll, PE32+ 5->9 dropped 11 C:\Users\user\...\APM_DefConvertor.dll, PE32 5->11 dropped 13 C:\Users\user13onhieratical\...\msado25.tlb, PE32+ 5->13 dropped 15 C:\Users\user\AppData\Local\...\System.dll, PE32 5->15 dropped 23 Tries to detect virtualization through RDTSC time measurements 5->23 signatures5
No contacted IP infos