Windows Analysis Report
SC.028UCCP.exe

Overview

General Information

Sample Name: SC.028UCCP.exe
Analysis ID: 830301
MD5: 3f8f4a7f43b5627ed45128bb99f0b471
SHA1: 1c1931fe8db9b5df89d39e3121fa72c2a355ded1
SHA256: 0ae741990942bc5b9a51a72dc1cc9f2197b8fe140b76eee9170c3260c00e8656
Tags: exesigned
Infos:

Detection

GuLoader
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
Uses 32bit PE files
Drops PE files
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
PE / OLE file has an invalid certificate
Contains functionality to dynamically determine API calls
Abnormal high CPU Usage
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SC.028UCCP.exe ReversingLabs: Detection: 33%
Uses 32bit PE files
Source: SC.028UCCP.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\SC.028UCCP.exe Code function: 0_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_00405475
Source: C:\Users\user\Desktop\SC.028UCCP.exe Code function: 0_2_00405E9C FindFirstFileA,FindClose, 0_2_00405E9C
Source: C:\Users\user\Desktop\SC.028UCCP.exe Code function: 0_2_0040264F FindFirstFileA, 0_2_0040264F
Source: SC.028UCCP.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: SC.028UCCP.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: SC.028UCCP.exe String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: SC.028UCCP.exe String found in binary or memory: http://s.symcd.com06
Source: SC.028UCCP.exe String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: SC.028UCCP.exe String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: SC.028UCCP.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: SC.028UCCP.exe String found in binary or memory: https://d.symcb.com/cps0%
Source: SC.028UCCP.exe String found in binary or memory: https://d.symcb.com/rpa0
Source: SC.028UCCP.exe String found in binary or memory: https://d.symcb.com/rpa0.
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\SC.028UCCP.exe Code function: 0_2_00404FE3 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404FE3
Uses 32bit PE files
Source: SC.028UCCP.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\SC.028UCCP.exe Code function: 0_2_0040310B EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040310B
Detected potential crypto function
Source: C:\Users\user\Desktop\SC.028UCCP.exe Code function: 0_2_00404822 0_2_00404822
Source: C:\Users\user\Desktop\SC.028UCCP.exe Code function: 0_2_004062C3 0_2_004062C3
Source: C:\Users\user\Desktop\SC.028UCCP.exe Code function: 0_2_00406A9A 0_2_00406A9A
PE / OLE file has an invalid certificate
Source: SC.028UCCP.exe Static PE information: invalid certificate
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\SC.028UCCP.exe Process Stats: CPU usage > 98%
Source: SC.028UCCP.exe ReversingLabs: Detection: 33%
Source: C:\Users\user\Desktop\SC.028UCCP.exe File read: C:\Users\user\Desktop\SC.028UCCP.exe Jump to behavior
Source: SC.028UCCP.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SC.028UCCP.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\SC.028UCCP.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\SC.028UCCP.exe File created: C:\Users\user\Documents\Snarer.ini Jump to behavior
Source: C:\Users\user\Desktop\SC.028UCCP.exe File created: C:\Users\user\AppData\Local\Temp\nstD527.tmp Jump to behavior
Source: classification engine Classification label: mal76.troj.evad.winEXE@1/4@0/0
Source: C:\Users\user\Desktop\SC.028UCCP.exe Code function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar, 0_2_00402036
Source: C:\Users\user\Desktop\SC.028UCCP.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SC.028UCCP.exe Code function: 0_2_004042E6 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_004042E6

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.782394015.000000000400D000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.782394015.0000000002B00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter\Patter.Lam, type: DROPPED
Source: Yara match File source: 00000000.00000002.782049027.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SC.028UCCP.exe Code function: 0_2_10002CE0 push eax; ret 0_2_10002D0E
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SC.028UCCP.exe Code function: 0_2_00405EC3 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405EC3
Drops PE files
Source: C:\Users\user\Desktop\SC.028UCCP.exe File created: C:\Users\user\AppData\Local\Temp\nsuD883.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\SC.028UCCP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\SC.028UCCP.exe RDTSC instruction interceptor: First address: 00000000041F6C3D second address: 00000000041F6C3D instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FB3B0BEAC3Fh 0x00000006 cmp esi, F36905EDh 0x0000000c test edx, ebx 0x0000000e inc ebp 0x0000000f test bl, cl 0x00000011 inc ebx 0x00000012 pushad 0x00000013 mov di, 3123h 0x00000017 cmp di, 3123h 0x0000001c jne 00007FB3B0BEDC0Ah 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\SC.028UCCP.exe Code function: 0_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_00405475
Source: C:\Users\user\Desktop\SC.028UCCP.exe Code function: 0_2_00405E9C FindFirstFileA,FindClose, 0_2_00405E9C
Source: C:\Users\user\Desktop\SC.028UCCP.exe Code function: 0_2_0040264F FindFirstFileA, 0_2_0040264F
Source: C:\Users\user\Desktop\SC.028UCCP.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SC.028UCCP.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SC.028UCCP.exe Code function: 0_2_00405EC3 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405EC3
Source: C:\Users\user\Desktop\SC.028UCCP.exe Code function: 0_2_00405BBA GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA, 0_2_00405BBA
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 830301 Sample: SC.028UCCP.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 76 13 Multi AV Scanner detection for submitted file 2->13 15 Yara detected GuLoader 2->15 5 SC.028UCCP.exe 2 35 2->5         started        process3 file4 9 C:\Users\user\AppData\Local\...\Patter.Lam, data 5->9 dropped 11 C:\Users\user\AppData\Local\...\System.dll, PE32 5->11 dropped 17 Tries to detect virtualization through RDTSC time measurements 5->17 signatures5
No contacted IP infos