Windows Analysis Report
download.exe

Overview

General Information

Sample Name: download.exe
Analysis ID: 830512
MD5: 064fa36da0c2ca360b0906cc5bfe67c6
SHA1: a6623c33cbd86bdaee063f897bea1692621494e5
SHA256: 6974c5051372213d0e90147660c4b21bfff238e20c6449acb19f1901bf4729c8
Infos:

Detection

GuLoader
Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
Uses 32bit PE files
PE file does not import any functions
Drops PE files
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
PE / OLE file has an invalid certificate
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
Abnormal high CPU Usage
Contains functionality for read data from the clipboard

Classification

Uses 32bit PE files
Source: download.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: download.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\download.exe Code function: 0_2_00405745 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_00405745
Source: C:\Users\user\Desktop\download.exe Code function: 0_2_004026FE FindFirstFileA, 0_2_004026FE
Source: C:\Users\user\Desktop\download.exe Code function: 0_2_00406280 FindFirstFileA,FindClose, 0_2_00406280
Source: C:\Users\user\Desktop\download.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\download.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts Jump to behavior
Source: C:\Users\user\Desktop\download.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\download.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Users\user\Desktop\download.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\Desktop\download.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: lang-1032.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: lang-1032.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: lang-1032.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: lang-1032.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: lang-1032.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: lang-1032.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: lang-1032.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: lang-1032.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: lang-1032.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: lang-1032.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: download.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: download.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: lang-1032.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: lang-1032.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: lang-1032.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: download.exe String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: download.exe String found in binary or memory: http://s.symcd.com06
Source: download.exe String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: download.exe String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: download.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: lang-1032.dll.0.dr String found in binary or memory: http://www.avast.com0/
Source: lang-1032.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: download.exe String found in binary or memory: https://d.symcb.com/cps0%
Source: download.exe String found in binary or memory: https://d.symcb.com/rpa0
Source: download.exe String found in binary or memory: https://d.symcb.com/rpa0.
Source: lang-1032.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\download.exe Code function: 0_2_004051E2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004051E2
Uses 32bit PE files
Source: download.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
PE file does not import any functions
Source: lang-1032.dll.0.dr Static PE information: No import functions for PE file found
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\download.exe Code function: 0_2_004031E9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004031E9
Creates files inside the system directory
Source: C:\Users\user\Desktop\download.exe File created: C:\Windows\resources\0409 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\download.exe Code function: 0_2_00404A21 0_2_00404A21
Source: C:\Users\user\Desktop\download.exe Code function: 0_2_73B61A98 0_2_73B61A98
PE / OLE file has an invalid certificate
Source: download.exe Static PE information: invalid certificate
PE file contains executable resources (Code or Archives)
Source: lang-1032.dll.0.dr Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\download.exe Process Stats: CPU usage > 98%
Source: C:\Users\user\Desktop\download.exe File read: C:\Users\user\Desktop\download.exe Jump to behavior
Source: download.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\download.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\download.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\download.exe Code function: 0_2_004031E9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004031E9
Source: C:\Users\user\Desktop\download.exe File created: C:\Users\user\AppData\Local\Temp\nsz8D99.tmp Jump to behavior
Source: classification engine Classification label: mal52.troj.evad.winEXE@1/5@0/0
Source: C:\Users\user\Desktop\download.exe Code function: 0_2_004020D1 CoCreateInstance,MultiByteToWideChar, 0_2_004020D1
Source: C:\Users\user\Desktop\download.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\download.exe Code function: 0_2_004044AE GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_004044AE
Source: download.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.779236025.000000000693F000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\download.exe Code function: 0_2_73B62F20 push eax; ret 0_2_73B62F4E
Drops PE files
Source: C:\Users\user\Desktop\download.exe File created: C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\download.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize\lang-1032.dll Jump to dropped file
Source: C:\Users\user\Desktop\download.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\download.exe RDTSC instruction interceptor: First address: 0000000006DC4A92 second address: 0000000006DC4A92 instructions: 0x00000000 rdtsc 0x00000002 test edx, ecx 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F4174E1A261h 0x0000000c pushad 0x0000000d mov si, C771h 0x00000011 cmp si, C771h 0x00000016 jne 00007F4174E1D60Dh 0x0000001c popad 0x0000001d inc ebp 0x0000001e inc ebx 0x0000001f jmp 00007F4174E1A465h 0x00000024 nop 0x00000025 rdtsc
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\download.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize\lang-1032.dll Jump to dropped file
Source: C:\Users\user\Desktop\download.exe Code function: 0_2_00405745 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_00405745
Source: C:\Users\user\Desktop\download.exe Code function: 0_2_004026FE FindFirstFileA, 0_2_004026FE
Source: C:\Users\user\Desktop\download.exe Code function: 0_2_00406280 FindFirstFileA,FindClose, 0_2_00406280
Source: C:\Users\user\Desktop\download.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\download.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\download.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\download.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts Jump to behavior
Source: C:\Users\user\Desktop\download.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\download.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Users\user\Desktop\download.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\Desktop\download.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Users\user\Desktop\download.exe Code function: 0_2_004031E9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004031E9
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 830512 Sample: download.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 52 13 Yara detected GuLoader 2->13 5 download.exe 4 29 2->5         started        process3 file4 9 C:\Users\user\AppData\...\lang-1032.dll, PE32 5->9 dropped 11 C:\Users\user\AppData\Local\...\System.dll, PE32 5->11 dropped 15 Tries to detect virtualization through RDTSC time measurements 5->15 signatures5
No contacted IP infos