Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SC.028UCCP.exe

Overview

General Information

Sample Name:SC.028UCCP.exe
Analysis ID:830301
MD5:3f8f4a7f43b5627ed45128bb99f0b471
SHA1:1c1931fe8db9b5df89d39e3121fa72c2a355ded1
SHA256:0ae741990942bc5b9a51a72dc1cc9f2197b8fe140b76eee9170c3260c00e8656
Tags:exesigned
Infos:

Detection

GuLoader
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
Uses 32bit PE files
Drops PE files
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
PE / OLE file has an invalid certificate
Contains functionality to dynamically determine API calls
Abnormal high CPU Usage
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • SC.028UCCP.exe (PID: 5928 cmdline: C:\Users\user\Desktop\SC.028UCCP.exe MD5: 3F8F4A7F43B5627ED45128BB99F0B471)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter\Patter.LamJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.782049027.00000000005D0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
      00000000.00000002.782394015.0000000002B00000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
        00000000.00000002.782394015.000000000400D000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: SC.028UCCP.exeReversingLabs: Detection: 33%
          Source: SC.028UCCP.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: C:\Users\user\Desktop\SC.028UCCP.exeCode function: 0_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\Desktop\SC.028UCCP.exeCode function: 0_2_00405E9C FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\SC.028UCCP.exeCode function: 0_2_0040264F FindFirstFileA,
          Source: SC.028UCCP.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: SC.028UCCP.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: SC.028UCCP.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
          Source: SC.028UCCP.exeString found in binary or memory: http://s.symcd.com06
          Source: SC.028UCCP.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
          Source: SC.028UCCP.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
          Source: SC.028UCCP.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
          Source: SC.028UCCP.exeString found in binary or memory: https://d.symcb.com/cps0%
          Source: SC.028UCCP.exeString found in binary or memory: https://d.symcb.com/rpa0
          Source: SC.028UCCP.exeString found in binary or memory: https://d.symcb.com/rpa0.
          Source: C:\Users\user\Desktop\SC.028UCCP.exeCode function: 0_2_00404FE3 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,
          Source: SC.028UCCP.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: C:\Users\user\Desktop\SC.028UCCP.exeCode function: 0_2_0040310B EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\SC.028UCCP.exeCode function: 0_2_00404822
          Source: C:\Users\user\Desktop\SC.028UCCP.exeCode function: 0_2_004062C3
          Source: C:\Users\user\Desktop\SC.028UCCP.exeCode function: 0_2_00406A9A
          Source: SC.028UCCP.exeStatic PE information: invalid certificate
          Source: C:\Users\user\Desktop\SC.028UCCP.exeProcess Stats: CPU usage > 98%
          Source: SC.028UCCP.exeReversingLabs: Detection: 33%
          Source: C:\Users\user\Desktop\SC.028UCCP.exeFile read: C:\Users\user\Desktop\SC.028UCCP.exeJump to behavior
          Source: SC.028UCCP.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\SC.028UCCP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Users\user\Desktop\SC.028UCCP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
          Source: C:\Users\user\Desktop\SC.028UCCP.exeFile created: C:\Users\user\Documents\Snarer.iniJump to behavior
          Source: C:\Users\user\Desktop\SC.028UCCP.exeFile created: C:\Users\user\AppData\Local\Temp\nstD527.tmpJump to behavior
          Source: classification engineClassification label: mal76.troj.evad.winEXE@1/4@0/0
          Source: C:\Users\user\Desktop\SC.028UCCP.exeCode function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Users\user\Desktop\SC.028UCCP.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\SC.028UCCP.exeCode function: 0_2_004042E6 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

          Data Obfuscation

          barindex
          Yara detected GuLoader
          Source: Yara matchFile source: 00000000.00000002.782394015.000000000400D000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.782394015.0000000002B00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter\Patter.Lam, type: DROPPED
          Source: Yara matchFile source: 00000000.00000002.782049027.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\SC.028UCCP.exeCode function: 0_2_10002CE0 push eax; ret
          Source: C:\Users\user\Desktop\SC.028UCCP.exeCode function: 0_2_00405EC3 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\SC.028UCCP.exeFile created: C:\Users\user\AppData\Local\Temp\nsuD883.tmp\System.dllJump to dropped file
          Source: C:\Users\user\Desktop\SC.028UCCP.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\SC.028UCCP.exeRDTSC instruction interceptor: First address: 00000000041F6C3D second address: 00000000041F6C3D instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FB3B0BEAC3Fh 0x00000006 cmp esi, F36905EDh 0x0000000c test edx, ebx 0x0000000e inc ebp 0x0000000f test bl, cl 0x00000011 inc ebx 0x00000012 pushad 0x00000013 mov di, 3123h 0x00000017 cmp di, 3123h 0x0000001c jne 00007FB3B0BEDC0Ah 0x00000022 popad 0x00000023 rdtsc
          Source: C:\Users\user\Desktop\SC.028UCCP.exeCode function: 0_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\Desktop\SC.028UCCP.exeCode function: 0_2_00405E9C FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\SC.028UCCP.exeCode function: 0_2_0040264F FindFirstFileA,
          Source: C:\Users\user\Desktop\SC.028UCCP.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\Desktop\SC.028UCCP.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\Desktop\SC.028UCCP.exeCode function: 0_2_00405EC3 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\SC.028UCCP.exeCode function: 0_2_00405BBA GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Native API          		Path InterceptionPath Interception1
          Masquerading          		OS Credential Dumping1
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          Obfuscated Files or Information          		LSASS Memory2
          File and Directory Discovery          		Remote Desktop Protocol1
          Clipboard Data          		Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager13
          System Information Discovery          		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          SC.028UCCP.exe33%ReversingLabsWin32.Trojan.Generic

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nsuD883.tmp\System.dll0%ReversingLabs

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          No contacted domains info

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://nsis.sf.net/NSIS_ErrorSC.028UCCP.exefalse
            		high
            http://nsis.sf.net/NSIS_ErrorErrorSC.028UCCP.exefalse
              		high

              World Map of Contacted IPs

              No contacted IP infos

              General Information

              Joe Sandbox Version:37.0.0 Beryl
              Analysis ID:830301
              Start date and time:2023-03-20 08:44:20 +01:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 8m 28s
              Hypervisor based Inspection enabled:false
              Report type:light
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:15
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample file name:SC.028UCCP.exe
              Detection:MAL
              Classification:mal76.troj.evad.winEXE@1/4@0/0
              EGA Information:
              • Successful, ratio: 100%
              HDC Information:
              • Successful, ratio: 60.4% (good quality ratio 59%)
              • Quality average: 87%
              • Quality standard deviation: 23.1%
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Override analysis time to 240s for sample files taking high CPU consumption

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com
              • Not all processes where analyzed, report is missing behavior information
              • VT rate limit hit for: SC.028UCCP.exe

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter\Patter.Lam

              Download File
              Process:C:\Users\user\Desktop\SC.028UCCP.exe
              File Type:data
              Category:dropped
              Size (bytes):268768
              Entropy (8bit):7.143396451103385
              Encrypted:false
              SSDEEP:6144:qJAA/mPgVn081S1KOqpIrh02aq18CUcmQd:TA/moVw1HP02J8CUcVd
              MD5:C6AF2E59D4C09946D5F809241D770F50
              SHA1:266B1073C52D94E9451AA08B2605F2237E5F8A0C
              SHA-256:89E42F99BB457998B2FA3A4D0973ABFE9A39163227F56C8D000CCE44F1EF0070
              SHA-512:B005D4324152790A8BDAAAEE6272A899639FF8D5E1E1FFE1E1219C569F9D271C4A21440F709CA3693A5F80A664501D3AB79EBA81B5B9D07C8870FE5AC15D5124
              Malicious:true
              Yara Hits:
              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter\Patter.Lam, Author: Joe Security
              Reputation:low
              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter\cavil\Ablativers91\ArtDeco_green_7.bmp

              Download File
              Process:C:\Users\user\Desktop\SC.028UCCP.exe
              File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 100x100, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=3], baseline, precision 8, 110x110, components 3
              Category:dropped
              Size (bytes):5717
              Entropy (8bit):7.862470085974542
              Encrypted:false
              SSDEEP:96:BSTzREom7JPxQ7OTst5UcVq9JD6EgZEoW249KONYq9iwry9t1Bs6UQJaE424CZ:oXRgtPEOa6+q65Zr87YXwry9tzuCZ
              MD5:B182207A878FA708746DA5A94F08A581
              SHA1:4EF329C2643A9B5E19F491D644A96EF3E7388BE6
              SHA-256:40125E69AA66C655FA44F83BBDEB7E9F24FE81D69CC717651A42C908483FF687
              SHA-512:2368E6533A4D660C08C6F196F38CE2F706C8486AA9E5B1C2413988251184D6A928A348E74DDF0FB098F928D7FCFA4DD71829766E1964E3E5085D642497D034B4
              Malicious:false
              Reputation:low
              Preview:......JFIF.....d.d.....:Exif..MM.*......Q...........Q..........aQ..........a.......C....................................................................C.......................................................................n.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.......9o.^....3N>-.~..-......j.|w.Vu..n..N...#...c......a...M.$......n:..m....?..z..1...^_.1.iE..]O.9..|.6.b.E.vVF..h6.i.=|...~.....H.|.^.U.W.@6..}vz..^ON+....M......{......2OZ..=..@w,..c#..`s.A>....O.<.iw9Y....V...Qx_...@6..';Bg.;...J~...2.#.........~.2:..#..0k.6.K...[k.V....>c.98.-..=..Z&...W.:......

              C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter\cavil\Ablativers91\Patronymens.Hov230

              Download File
              Process:C:\Users\user\Desktop\SC.028UCCP.exe
              File Type:GTA audio index data (SDT)
              Category:dropped
              Size (bytes):42868
              Entropy (8bit):4.531239376712852
              Encrypted:false
              SSDEEP:768:BmzeD2YSUGt8UN3/hCwqfWCixEmPmXZNIYmhaspQZV:BF9SfyUNvrxEmMAHpQT
              MD5:545F37C048EB23C04FF82F592FB89DEB
              SHA1:9ED7C0D724A7A1C7E38F2A5134D1325B49FCCF25
              SHA-256:DA3CADFEE6D3939C607B6F60B12861931ABD8E7441A2C148C396A38957C7D4DF
              SHA-512:0EB46B15043855818821DD3C60A491E83DF943A30E3BC57E9D37F81AAFF697DFFEF94CE8874A1F61E1E93B7BA2FD740E4FAF7E267BFB1B5B708F1979ED292655
              Malicious:false
              Reputation:low
              Preview:........zz.......++..........^^^...............l....................."".R..............6......cccccc.B.....(..}}....>>>>>.B.?.C..J.O..yy.....C.....!!..MMMM........pp.......................P...'................g.CC...ww........K.......9.;;....X.........W.....6.....%.........+.........ll..........@..CCCC...0.555................R.......iiii...333.....g..WWW........M...........................D.r..............................A.L.[..........5..,........P..X.....................kkkkk...................w............VVVV.......?...........................+...................................gggg.$.......DDDD.??..........m.............................r......`............;.......bb..ZZ.....................z......O...QQ.....!.....................XX......X.........???.>>>.P............L....O.{...............v..........ff.....!!!...K....6........................#....eee...........?......9...........;...........o......``................................kkk..............U...;;;.......$............h....

              C:\Users\user\AppData\Local\Temp\nsuD883.tmp\System.dll

              Download File
              Process:C:\Users\user\Desktop\SC.028UCCP.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):11264
              Entropy (8bit):5.72460245623286
              Encrypted:false
              SSDEEP:96:3IsUxO9udx4qYp7AJb76BykUbQMtHUOA5Iv+RnsrqeXV+d1g2IW9t2c+cEwF9oug:YVL7ikJb76BQUoUm+RnyXVYO2RvHoug
              MD5:CF85183B87314359488B850F9E97A698
              SHA1:6B6C790037EEC7EBEA4D05590359CB4473F19AEA
              SHA-256:3B6A5CB2A3C091814FCE297C04FB677F72732FB21615102C62A195FDC2E7DFAC
              SHA-512:FE484B3FC89AEED3A6B71B90B90EA11A787697E56BE3077154B6DDC2646850F6C38589ED422FF792E391638A80A778D33F22E891E76B5D65896C6FB4696A2C3B
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Reputation:moderate, very likely benign file
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L...k..Q...........!.................&.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............................... ..`.rdata..C....0......."..............@..@.data...h....@.......&..............@....reloc..H....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
              Entropy (8bit):7.920107350850815
              TrID:
              • Win32 Executable (generic) a (10002005/4) 92.16%
              • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:SC.028UCCP.exe
              File size:267392
              MD5:3f8f4a7f43b5627ed45128bb99f0b471
              SHA1:1c1931fe8db9b5df89d39e3121fa72c2a355ded1
              SHA256:0ae741990942bc5b9a51a72dc1cc9f2197b8fe140b76eee9170c3260c00e8656
              SHA512:800a88ff5985f832c73fbada7fa71175531dbe9bd47a93bc8941817e791d8868cfedd4dad2f82604ce06e1e2136821b963d35e23d580edf2d260475eb213ff6f
              SSDEEP:6144:4auq7FPth0P6iM7EFsjSHR58yQITE1vE1P57hO5FKHJa:HFPr0SirFjC1yP5NO5FKg
              TLSH:AE4412172BE645FFF9D78C72103AEAB3F5BBE6580817144E0B266F7A7D00603092969D
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L......Q.................^...........1.......p....@

              File Icon

              Icon Hash:b2a88c96b2ca6a72

              Static PE Info

              General

              Entrypoint:0x40310b
              Entrypoint Section:.text
              Digitally signed:true
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              DLL Characteristics:TERMINAL_SERVER_AWARE
              Time Stamp:0x51E3058F [Sun Jul 14 20:09:51 2013 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:b40f29cd171eb54c01b1dd2683c9c26b

              Authenticode Signature

              Signature Valid:false
              Signature Issuer:E=synsmaades@Lakeside.Fo, OU="Virksomhedsledelsens Tensionerne ", O=Draconis, L=Saint-Projet, S=Nouvelle-Aquitaine, C=FR
              Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
              Error Number:-2146762487
              Not Before, Not After
              • 8/19/2022 10:31:00 PM 8/18/2025 10:31:00 PM
              Subject Chain
              • E=synsmaades@Lakeside.Fo, OU="Virksomhedsledelsens Tensionerne ", O=Draconis, L=Saint-Projet, S=Nouvelle-Aquitaine, C=FR
              Version:3
              Thumbprint MD5:82A2F162C13C97C7C5BD9D1EF5E3E352
              Thumbprint SHA-1:0A4EF0B597133BD21B48A5030DE4541818CB48DA
              Thumbprint SHA-256:9B7EDD84EF52310C29E72A78ED7E0EB44C977D6DE7359675C1845C3D1CD29EBC
              Serial:3E36636B7C2A21B05072BFF828C9540A74C9C941

              Entrypoint Preview

              Instruction
              sub esp, 00000184h
              push ebx
              push ebp
              push esi
              xor ebx, ebx
              push edi
              mov dword ptr [esp+18h], ebx
              mov dword ptr [esp+10h], 00409190h
              mov dword ptr [esp+20h], ebx
              mov byte ptr [esp+14h], 00000020h
              call dword ptr [00407034h]
              push 00008001h
              call dword ptr [004070B0h]
              push ebx
              call dword ptr [0040728Ch]
              push 00000008h
              mov dword ptr [0042EC58h], eax
              call 00007FB3B0AB27D8h
              mov dword ptr [0042EBA4h], eax
              push ebx
              lea eax, dword ptr [esp+38h]
              push 00000160h
              push eax
              push ebx
              push 00428FE0h
              call dword ptr [00407164h]
              push 00409180h
              push 0042E3A0h
              call 00007FB3B0AB2482h
              call dword ptr [0040711Ch]
              mov ebp, 00434000h
              push eax
              push ebp
              call 00007FB3B0AB2470h
              push ebx
              call dword ptr [00407114h]
              cmp byte ptr [00434000h], 00000022h
              mov dword ptr [0042EBA0h], eax
              mov eax, ebp
              jne 00007FB3B0AAFA6Ch
              mov byte ptr [esp+14h], 00000022h
              mov eax, 00434001h
              push dword ptr [esp+14h]
              push eax
              call 00007FB3B0AB1F1Dh
              push eax
              call dword ptr [00407220h]
              mov dword ptr [esp+1Ch], eax
              jmp 00007FB3B0AAFB25h
              cmp cl, 00000020h
              jne 00007FB3B0AAFA68h
              inc eax
              cmp byte ptr [eax], 00000020h
              je 00007FB3B0AAFA5Ch

              Rich Headers

              Programming Language:
              • [EXP] VC++ 6.0 SP5 build 8804

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x74b00xb4.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x440000x10b0.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x3fc200x1860.ndata
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x70000x298.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x5de80x5e00False0.6791057180851063data6.503326078284377IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rdata0x70000x12da0x1400False0.4388671875data5.095966873256735IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0x90000x25c980x400False0.63671875data5.037907617207934IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .ndata0x2f0000x150000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rsrc0x440000x10b00x1200False0.3513454861111111data4.2798158371727295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_BITMAP0x442380x368Device independent bitmap graphic, 96 x 16 x 4, image size 768EnglishUnited States
              RT_ICON0x445a00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States
              RT_DIALOG0x448880x144dataEnglishUnited States
              RT_DIALOG0x449d00x13cdataEnglishUnited States
              RT_DIALOG0x44b100x100dataEnglishUnited States
              RT_DIALOG0x44c100x11cdataEnglishUnited States
              RT_DIALOG0x44d300x60dataEnglishUnited States
              RT_GROUP_ICON0x44d900x14dataEnglishUnited States
              RT_MANIFEST0x44da80x305XML 1.0 document, ASCII text, with very long lines (773), with no line terminatorsEnglishUnited States

              Imports

              DLLImport
              KERNEL32.dllSleep, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, CompareFileTime, SearchPathA, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, GetWindowsDirectoryA, SetFileAttributesA, lstrcmpiA, SetErrorMode, LoadLibraryA, lstrlenA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrcpyA, lstrcatA, GetSystemDirectoryA, GetVersion, GetProcAddress, WaitForSingleObject, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, GetModuleHandleA, LoadLibraryExA, GetCommandLineA, GetTempPathA, FreeLibrary, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, MulDiv, WriteFile, MultiByteToWideChar
              USER32.dllCreateWindowExA, EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, GetDC, SystemParametersInfoA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, CreateDialogParamA, SetTimer, GetDlgItem, wsprintfA, SetForegroundWindow, ShowWindow, IsWindow, LoadImageA, SetWindowLongA, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, PostQuitMessage, FindWindowExA, SendMessageTimeoutA, SetWindowTextA
              GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
              SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
              ADVAPI32.dllRegCloseKey, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumValueA, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
              COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
              ole32.dllCoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
              VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

              Statistics

              No statistics

              System Behavior

              General

              Target ID:0
              Start time:08:45:18
              Start date:20/03/2023
              Path:C:\Users\user\Desktop\SC.028UCCP.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\SC.028UCCP.exe
              Imagebase:0x400000
              File size:267392 bytes
              MD5 hash:3F8F4A7F43B5627ED45128BB99F0B471
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000000.00000002.782049027.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000000.00000002.782394015.0000000002B00000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.782394015.000000000400D000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
              Reputation:low

              Disassembly

              No disassembly