Windows Analysis Report
DHLIN00178.exe

Overview

General Information

Sample Name: DHLIN00178.exe
Analysis ID: 829130
MD5: 66fdf2df4fc8601124df76c284f797e1
SHA1: 88031f2f9bfbf3eb0b069c68fd4ed4ee288daf9f
SHA256: e07a149d14fc37367e7331342d07dc45aec9ef7bbce780ea636c5d04f6c26f3f
Tags: DHLexesigned
Infos:

Detection

GuLoader
Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Generic Downloader
Tries to detect virtualization through RDTSC time measurements
Uses 32bit PE files
PE file does not import any functions
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Binary contains a suspicious time stamp
Detected potential crypto function
PE / OLE file has an invalid certificate
PE file contains more sections than normal
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
Abnormal high CPU Usage
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: DHLIN00178.exe Virustotal: Detection: 12% Perma Link
Uses 32bit PE files
Source: DHLIN00178.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: DHLIN00178.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: /_/artifacts/obj/manual.System/net6.0-Release/System.pdbSHA256n source: DHLIN00178.exe, 00000000.00000003.302938136.000000000285D000.00000004.00000020.00020000.00000000.sdmp, System.dll.0.dr
Source: Binary string: maintenanceservice.pdb@ 0%P% source: DHLIN00178.exe, 00000000.00000003.303732226.0000000002855000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography.X509Certificates\net6.0-windows-Release\System.Security.Cryptography.X509Certificates.pdb source: DHLIN00178.exe, 00000000.00000003.301912869.000000000285D000.00000004.00000020.00020000.00000000.sdmp, System.Security.Cryptography.X509Certificates.dll.0.dr
Source: Binary string: /_/artifacts/obj/manual.System/net6.0-Release/System.pdb source: DHLIN00178.exe, 00000000.00000003.302938136.000000000285D000.00000004.00000020.00020000.00000000.sdmp, System.dll.0.dr
Source: Binary string: System.Security.Cryptography.X509Certificates.ni.pdb source: DHLIN00178.exe, 00000000.00000003.301912869.000000000285D000.00000004.00000020.00020000.00000000.sdmp, System.Security.Cryptography.X509Certificates.dll.0.dr
Source: Binary string: E:\Builds\221\N2\HO_SE_g_2016_r_0\Sources\SolutionExplorer\target\nar\bin\x86-Windows-msvc\release\SolutionExplorerCLI.pdb source: DHLIN00178.exe, 00000000.00000003.301192260.0000000002857000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.0.dr
Source: Binary string: maintenanceservice.pdb source: DHLIN00178.exe, 00000000.00000003.303732226.0000000002855000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.0.dr
Source: C:\Users\user\Desktop\DHLIN00178.exe Code function: 0_2_004062DD FindFirstFileA,FindClose, 0_2_004062DD
Source: C:\Users\user\Desktop\DHLIN00178.exe Code function: 0_2_004057A2 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_004057A2
Source: C:\Users\user\Desktop\DHLIN00178.exe Code function: 0_2_00402765 FindFirstFileA, 0_2_00402765
Source: C:\Users\user\Desktop\DHLIN00178.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache Jump to behavior
Source: C:\Users\user\Desktop\DHLIN00178.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\DHLIN00178.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows Jump to behavior
Source: C:\Users\user\Desktop\DHLIN00178.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\DHLIN00178.exe File opened: C:\Users\user\AppData\Local\Microsoft Jump to behavior
Source: C:\Users\user\Desktop\DHLIN00178.exe File opened: C:\Users\user\AppData\Local Jump to behavior

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Pointberegningernes241\Chaiselongs\Whatchamacallits76\querciflorae\System.dll, type: DROPPED
Source: DHLIN00178.exe, 00000000.00000003.303732226.0000000002855000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000000.00000003.303404197.0000000002850000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.0.dr, libpkcs11-helper-1.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: DHLIN00178.exe, 00000000.00000003.303732226.0000000002855000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000000.00000003.303404197.0000000002850000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.0.dr, libpkcs11-helper-1.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: DHLIN00178.exe, 00000000.00000003.303732226.0000000002855000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000000.00000003.303404197.0000000002850000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.0.dr, libpkcs11-helper-1.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: DHLIN00178.exe, 00000000.00000003.301192260.0000000002857000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.0.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: DHLIN00178.exe, 00000000.00000003.303732226.0000000002855000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000000.00000003.303404197.0000000002850000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.0.dr, libpkcs11-helper-1.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: DHLIN00178.exe, 00000000.00000003.303732226.0000000002855000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000000.00000003.303404197.0000000002850000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.0.dr, libpkcs11-helper-1.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: DHLIN00178.exe, 00000000.00000003.303732226.0000000002855000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000000.00000003.303404197.0000000002850000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.0.dr, libpkcs11-helper-1.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: DHLIN00178.exe, 00000000.00000003.303732226.0000000002855000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000000.00000003.303404197.0000000002850000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.0.dr, libpkcs11-helper-1.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: DHLIN00178.exe, 00000000.00000003.303732226.0000000002855000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000000.00000003.303404197.0000000002850000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.0.dr, libpkcs11-helper-1.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: DHLIN00178.exe, 00000000.00000003.303732226.0000000002855000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: DHLIN00178.exe, 00000000.00000003.303404197.0000000002850000.00000004.00000020.00020000.00000000.sdmp, libpkcs11-helper-1.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: DHLIN00178.exe, 00000000.00000003.303732226.0000000002855000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000000.00000003.303404197.0000000002850000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.0.dr, libpkcs11-helper-1.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: DHLIN00178.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: DHLIN00178.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: DHLIN00178.exe, 00000000.00000003.303732226.0000000002855000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000000.00000003.303404197.0000000002850000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.0.dr, libpkcs11-helper-1.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: DHLIN00178.exe, 00000000.00000003.303732226.0000000002855000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000000.00000003.303404197.0000000002850000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.0.dr, libpkcs11-helper-1.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: DHLIN00178.exe, 00000000.00000003.303732226.0000000002855000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000000.00000003.303404197.0000000002850000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.0.dr, libpkcs11-helper-1.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: DHLIN00178.exe, 00000000.00000003.301192260.0000000002857000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.0.dr String found in binary or memory: http://ocsp.thawte.com0
Source: DHLIN00178.exe String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: DHLIN00178.exe String found in binary or memory: http://s.symcd.com06
Source: DHLIN00178.exe, 00000000.00000003.301192260.0000000002857000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.0.dr String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: DHLIN00178.exe, 00000000.00000003.301192260.0000000002857000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.0.dr String found in binary or memory: http://s2.symcb.com0
Source: DHLIN00178.exe, 00000000.00000003.301192260.0000000002857000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.0.dr String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: DHLIN00178.exe, 00000000.00000003.301192260.0000000002857000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.0.dr String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: DHLIN00178.exe, 00000000.00000003.301192260.0000000002857000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.0.dr String found in binary or memory: http://sv.symcd.com0&
Source: DHLIN00178.exe String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: DHLIN00178.exe, 00000000.00000003.301192260.0000000002857000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.0.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: DHLIN00178.exe String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: DHLIN00178.exe, 00000000.00000003.301192260.0000000002857000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.0.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: DHLIN00178.exe, 00000000.00000003.301192260.0000000002857000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.0.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: DHLIN00178.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: DHLIN00178.exe, 00000000.00000003.303732226.0000000002855000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000000.00000003.303404197.0000000002850000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.0.dr, libpkcs11-helper-1.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: DHLIN00178.exe, 00000000.00000003.301192260.0000000002857000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.0.dr String found in binary or memory: http://www.nero.com
Source: DHLIN00178.exe, 00000000.00000003.301192260.0000000002857000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.0.dr String found in binary or memory: http://www.symauth.com/cps0(
Source: DHLIN00178.exe, 00000000.00000003.301192260.0000000002857000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.0.dr String found in binary or memory: http://www.symauth.com/rpa00
Source: DHLIN00178.exe, 00000000.00000003.301912869.000000000285D000.00000004.00000020.00020000.00000000.sdmp, System.Security.Cryptography.X509Certificates.dll.0.dr String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: DHLIN00178.exe, SolutionExplorerCLI.dll.0.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: DHLIN00178.exe, SolutionExplorerCLI.dll.0.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: DHLIN00178.exe String found in binary or memory: https://d.symcb.com/rpa0.
Source: DHLIN00178.exe, 00000000.00000003.302938136.000000000285D000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000000.00000003.301912869.000000000285D000.00000004.00000020.00020000.00000000.sdmp, System.Security.Cryptography.X509Certificates.dll.0.dr, System.dll.0.dr String found in binary or memory: https://github.com/dotnet/runtime
Source: DHLIN00178.exe, 00000000.00000003.303732226.0000000002855000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.0.dr String found in binary or memory: https://mozilla.org0
Source: DHLIN00178.exe, 00000000.00000003.303732226.0000000002855000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000000.00000003.303404197.0000000002850000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.0.dr, libpkcs11-helper-1.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\DHLIN00178.exe Code function: 0_2_0040523F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_0040523F
Uses 32bit PE files
Source: DHLIN00178.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
PE file does not import any functions
Source: System.Security.Cryptography.X509Certificates.dll.0.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: DHLIN00178.exe, 00000000.00000003.303732226.0000000002855000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemaintenanceservice.exe0 vs DHLIN00178.exe
Source: DHLIN00178.exe, 00000000.00000003.302938136.000000000285D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSystem.dll@ vs DHLIN00178.exe
Source: DHLIN00178.exe, 00000000.00000003.303404197.0000000002850000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamepkcs11-helper-1.dll" vs DHLIN00178.exe
Source: DHLIN00178.exe, 00000000.00000003.301912869.000000000285D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSystem.Security.Cryptography.X509Certificates.dll@ vs DHLIN00178.exe
Source: DHLIN00178.exe, 00000000.00000000.297999604.0000000000469000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameBrankningens.exeDVarFileInfo$ vs DHLIN00178.exe
Source: DHLIN00178.exe, 00000000.00000003.301192260.0000000002857000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSolutionExplorerCLI.dll vs DHLIN00178.exe
Source: DHLIN00178.exe Binary or memory string: OriginalFilenameBrankningens.exeDVarFileInfo$ vs DHLIN00178.exe
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\DHLIN00178.exe Code function: 0_2_00403235 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403235
Detected potential crypto function
Source: C:\Users\user\Desktop\DHLIN00178.exe Code function: 0_2_00406666 0_2_00406666
Source: C:\Users\user\Desktop\DHLIN00178.exe Code function: 0_2_72DD1A98 0_2_72DD1A98
PE / OLE file has an invalid certificate
Source: DHLIN00178.exe Static PE information: invalid certificate
PE file contains more sections than normal
Source: percentile.dll.0.dr Static PE information: Number of sections : 19 > 10
Source: libdatrie-1.dll.0.dr Static PE information: Number of sections : 11 > 10
Source: libpkcs11-helper-1.dll.0.dr Static PE information: Number of sections : 12 > 10
PE file contains executable resources (Code or Archives)
Source: System.dll.0.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\DHLIN00178.exe Process Stats: CPU usage > 98%
Source: DHLIN00178.exe Virustotal: Detection: 12%
Source: C:\Users\user\Desktop\DHLIN00178.exe File read: C:\Users\user\Desktop\DHLIN00178.exe Jump to behavior
Source: DHLIN00178.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DHLIN00178.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\DHLIN00178.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\DHLIN00178.exe Code function: 0_2_00403235 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403235
Source: C:\Users\user\Desktop\DHLIN00178.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto Jump to behavior
Source: C:\Users\user\Desktop\DHLIN00178.exe File created: C:\Users\user\AppData\Local\Temp\nstE049.tmp Jump to behavior
Source: classification engine Classification label: mal64.troj.evad.winEXE@1/10@0/0
Source: C:\Users\user\Desktop\DHLIN00178.exe Code function: 0_2_00402138 CoCreateInstance,MultiByteToWideChar, 0_2_00402138
Source: C:\Users\user\Desktop\DHLIN00178.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\DHLIN00178.exe Code function: 0_2_004044FA GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_004044FA
Source: DHLIN00178.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: /_/artifacts/obj/manual.System/net6.0-Release/System.pdbSHA256n source: DHLIN00178.exe, 00000000.00000003.302938136.000000000285D000.00000004.00000020.00020000.00000000.sdmp, System.dll.0.dr
Source: Binary string: maintenanceservice.pdb@ 0%P% source: DHLIN00178.exe, 00000000.00000003.303732226.0000000002855000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography.X509Certificates\net6.0-windows-Release\System.Security.Cryptography.X509Certificates.pdb source: DHLIN00178.exe, 00000000.00000003.301912869.000000000285D000.00000004.00000020.00020000.00000000.sdmp, System.Security.Cryptography.X509Certificates.dll.0.dr
Source: Binary string: /_/artifacts/obj/manual.System/net6.0-Release/System.pdb source: DHLIN00178.exe, 00000000.00000003.302938136.000000000285D000.00000004.00000020.00020000.00000000.sdmp, System.dll.0.dr
Source: Binary string: System.Security.Cryptography.X509Certificates.ni.pdb source: DHLIN00178.exe, 00000000.00000003.301912869.000000000285D000.00000004.00000020.00020000.00000000.sdmp, System.Security.Cryptography.X509Certificates.dll.0.dr
Source: Binary string: E:\Builds\221\N2\HO_SE_g_2016_r_0\Sources\SolutionExplorer\target\nar\bin\x86-Windows-msvc\release\SolutionExplorerCLI.pdb source: DHLIN00178.exe, 00000000.00000003.301192260.0000000002857000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.0.dr
Source: Binary string: maintenanceservice.pdb source: DHLIN00178.exe, 00000000.00000003.303732226.0000000002855000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.0.dr

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.821986246.0000000009D81000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DHLIN00178.exe Code function: 0_2_72DD2F60 push eax; ret 0_2_72DD2F8E
PE file contains sections with non-standard names
Source: libdatrie-1.dll.0.dr Static PE information: section name: .xdata
Source: libpkcs11-helper-1.dll.0.dr Static PE information: section name: .xdata
Source: maintenanceservice2.exe.0.dr Static PE information: section name: .00cfg
Source: percentile.dll.0.dr Static PE information: section name: .xdata
Source: percentile.dll.0.dr Static PE information: section name: /4
Source: percentile.dll.0.dr Static PE information: section name: /19
Source: percentile.dll.0.dr Static PE information: section name: /31
Source: percentile.dll.0.dr Static PE information: section name: /45
Source: percentile.dll.0.dr Static PE information: section name: /57
Source: percentile.dll.0.dr Static PE information: section name: /70
Source: percentile.dll.0.dr Static PE information: section name: /81
Source: percentile.dll.0.dr Static PE information: section name: /92
Binary contains a suspicious time stamp
Source: System.Security.Cryptography.X509Certificates.dll.0.dr Static PE information: 0xF15766E0 [Tue Apr 22 20:30:24 2098 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\DHLIN00178.exe Code function: 0_2_72DD1A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 0_2_72DD1A98
Drops PE files
Source: C:\Users\user\Desktop\DHLIN00178.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Maattet\SolutionExplorerCLI.dll Jump to dropped file
Source: C:\Users\user\Desktop\DHLIN00178.exe File created: C:\Users\user\AppData\Local\Temp\nsb19E8.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\DHLIN00178.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Pointberegningernes241\Chaiselongs\Whatchamacallits76\querciflorae\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\DHLIN00178.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Stingily\Nebularise\stormagasiners\libpkcs11-helper-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\DHLIN00178.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Stingily\Nebularise\stormagasiners\maintenanceservice2.exe Jump to dropped file
Source: C:\Users\user\Desktop\DHLIN00178.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Pointberegningernes241\Chaiselongs\Whatchamacallits76\querciflorae\libdatrie-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\DHLIN00178.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Mandslinien\Characterizable\Senilitetstegnet\percentile.dll Jump to dropped file
Source: C:\Users\user\Desktop\DHLIN00178.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Maattet\System.Security.Cryptography.X509Certificates.dll Jump to dropped file
Source: C:\Users\user\Desktop\DHLIN00178.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLIN00178.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHLIN00178.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\DHLIN00178.exe RDTSC instruction interceptor: First address: 000000000A51D8C7 second address: 000000000A51D8C7 instructions: 0x00000000 rdtsc 0x00000002 test bh, dh 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F87A501B604h 0x00000008 test ch, ch 0x0000000a inc ebp 0x0000000b cmp cl, dl 0x0000000d inc ebx 0x0000000e rdtsc
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\DHLIN00178.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Maattet\SolutionExplorerCLI.dll Jump to dropped file
Source: C:\Users\user\Desktop\DHLIN00178.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Stingily\Nebularise\stormagasiners\libpkcs11-helper-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\DHLIN00178.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Stingily\Nebularise\stormagasiners\maintenanceservice2.exe Jump to dropped file
Source: C:\Users\user\Desktop\DHLIN00178.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Pointberegningernes241\Chaiselongs\Whatchamacallits76\querciflorae\libdatrie-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\DHLIN00178.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Mandslinien\Characterizable\Senilitetstegnet\percentile.dll Jump to dropped file
Source: C:\Users\user\Desktop\DHLIN00178.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Maattet\System.Security.Cryptography.X509Certificates.dll Jump to dropped file
Source: C:\Users\user\Desktop\DHLIN00178.exe Code function: 0_2_004062DD FindFirstFileA,FindClose, 0_2_004062DD
Source: C:\Users\user\Desktop\DHLIN00178.exe Code function: 0_2_004057A2 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_004057A2
Source: C:\Users\user\Desktop\DHLIN00178.exe Code function: 0_2_00402765 FindFirstFileA, 0_2_00402765
Source: C:\Users\user\Desktop\DHLIN00178.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\DHLIN00178.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\DHLIN00178.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache Jump to behavior
Source: C:\Users\user\Desktop\DHLIN00178.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\DHLIN00178.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows Jump to behavior
Source: C:\Users\user\Desktop\DHLIN00178.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\DHLIN00178.exe File opened: C:\Users\user\AppData\Local\Microsoft Jump to behavior
Source: C:\Users\user\Desktop\DHLIN00178.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\DHLIN00178.exe Code function: 0_2_72DD1A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 0_2_72DD1A98
Source: C:\Users\user\Desktop\DHLIN00178.exe Code function: 0_2_00403235 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403235
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 829130 Sample: DHLIN00178.exe Startdate: 17/03/2023 Architecture: WINDOWS Score: 64 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected GuLoader 2->19 21 Yara detected Generic Downloader 2->21 5 DHLIN00178.exe 1 41 2->5         started        process3 file4 9 C:\Users\user\AppData\Local\...\System.dll, PE32 5->9 dropped 11 C:\Users\user\AppData\Local\...\System.dll, PE32 5->11 dropped 13 C:\Users\user\...\maintenanceservice2.exe, PE32+ 5->13 dropped 15 5 other files (none is malicious) 5->15 dropped 23 Tries to detect virtualization through RDTSC time measurements 5->23 signatures5
No contacted IP infos