Windows Analysis Report
New Order59687900898987.exe

Overview

General Information

Sample name: New Order59687900898987.exe
Analysis ID: 1674194
MD5: 288d0b21f1fb2b42ea1fd1995413341b
SHA1: 357218dec3d55889bd38fe7e534d6f77b1287f52
SHA256: 9a66af305ab345c37b408f496c0ad1251e1346f41586742df225af2c6564d576
Tags: exeuser-TeamDreier
Infos:

Detection

GuLoader
Score: 80
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected GuLoader
AI detected suspicious PE digital signature
Initial sample is a PE file and has a suspicious name
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Sample execution stops while process was sleeping (likely an evasion)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection

barindex
Source: New Order59687900898987.exe Avira: detected
Source: New Order59687900898987.exe Virustotal: Detection: 45% Perma Link
Source: New Order59687900898987.exe ReversingLabs: Detection: 47%
Source: New Order59687900898987.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: New Order59687900898987.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\New Order59687900898987.exe Code function: 0_2_00405861 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_00405861
Source: C:\Users\user\Desktop\New Order59687900898987.exe Code function: 0_2_0040639C FindFirstFileA,FindClose, 0_2_0040639C
Source: C:\Users\user\Desktop\New Order59687900898987.exe Code function: 0_2_004026F8 FindFirstFileA, 0_2_004026F8
Source: C:\Users\user\Desktop\New Order59687900898987.exe Code function: 12_2_00405861 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 12_2_00405861
Source: C:\Users\user\Desktop\New Order59687900898987.exe Code function: 12_2_004026F8 FindFirstFileA, 12_2_004026F8
Source: C:\Users\user\Desktop\New Order59687900898987.exe Code function: 12_2_0040639C FindFirstFileA,FindClose, 12_2_0040639C
Source: C:\Users\user\Desktop\New Order59687900898987.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: global traffic TCP traffic: 192.168.2.11:49712 -> 185.29.8.57:80
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: unknown TCP traffic detected without corresponding DNS query: 185.29.8.57
Source: New Order59687900898987.exe, 0000000C.00000002.3645990114.0000000005B84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.29.8.57/39b-29faacb30994
Source: New Order59687900898987.exe, 0000000C.00000002.3645990114.0000000005B9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.29.8.57/eMOsyQgTzrmQeuGlBuW30.bin
Source: New Order59687900898987.exe, 0000000C.00000002.3645990114.0000000005B9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.29.8.57/eMOsyQgTzrmQeuGlBuW30.bin-
Source: New Order59687900898987.exe, 0000000C.00000002.3645990114.0000000005B9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.29.8.57/eMOsyQgTzrmQeuGlBuW30.bin1
Source: New Order59687900898987.exe, 0000000C.00000002.3645990114.0000000005B84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.29.8.57/eMOsyQgTzrmQeuGlBuW30.bin3iGc3
Source: New Order59687900898987.exe, 0000000C.00000002.3645990114.0000000005B84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.29.8.57/eMOsyQgTzrmQeuGlBuW30.binPGJ3
Source: New Order59687900898987.exe, 0000000C.00000002.3645990114.0000000005B84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.29.8.57/eMOsyQgTzrmQeuGlBuW30.binPx
Source: New Order59687900898987.exe, 0000000C.00000002.3645990114.0000000005B9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.29.8.57/eMOsyQgTzrmQeuGlBuW30.binRPC
Source: New Order59687900898987.exe, 0000000C.00000002.3645990114.0000000005B84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.29.8.57/eMOsyQgTzrmQeuGlBuW30.binmx
Source: New Order59687900898987.exe, 0000000C.00000002.3645990114.0000000005B84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.29.8.57/eMOsyQgTzrmQeuGlBuW30.binr
Source: New Order59687900898987.exe, 0000000C.00000002.3645990114.0000000005B48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.29.8.57/eMOsyQgTzrmQeuGlBuW30.binu
Source: New Order59687900898987.exe, 0000000C.00000002.3645990114.0000000005B84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.29.8.57/eMOsyQgTzrmQeuGlBuW30.binzGl3
Source: New Order59687900898987.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: New Order59687900898987.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: C:\Users\user\Desktop\New Order59687900898987.exe Code function: 0_2_004052FE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004052FE

System Summary

barindex
Source: initial sample Static PE information: Filename: New Order59687900898987.exe
Source: C:\Users\user\Desktop\New Order59687900898987.exe Process Stats: CPU usage > 49%
Source: C:\Users\user\Desktop\New Order59687900898987.exe Code function: 0_2_0040330D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040330D
Source: C:\Users\user\Desktop\New Order59687900898987.exe Code function: 12_2_0040330D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 12_2_0040330D
Source: C:\Users\user\Desktop\New Order59687900898987.exe File created: C:\Windows\resources\0809 Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Code function: 0_2_00406725 0_2_00406725
Source: C:\Users\user\Desktop\New Order59687900898987.exe Code function: 0_2_00404B3D 0_2_00404B3D
Source: C:\Users\user\Desktop\New Order59687900898987.exe Code function: 12_2_00406725 12_2_00406725
Source: C:\Users\user\Desktop\New Order59687900898987.exe Code function: 12_2_00404B3D 12_2_00404B3D
Source: C:\Users\user\Desktop\New Order59687900898987.exe Code function: String function: 00402AC1 appears 48 times
Source: New Order59687900898987.exe Static PE information: invalid certificate
Source: New Order59687900898987.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal80.troj.evad.winEXE@3/14@0/1
Source: C:\Users\user\Desktop\New Order59687900898987.exe Code function: 0_2_0040330D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040330D
Source: C:\Users\user\Desktop\New Order59687900898987.exe Code function: 12_2_0040330D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 12_2_0040330D
Source: C:\Users\user\Desktop\New Order59687900898987.exe Code function: 0_2_004045CA GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_004045CA
Source: C:\Users\user\Desktop\New Order59687900898987.exe Code function: 0_2_004020CB CoCreateInstance,MultiByteToWideChar, 0_2_004020CB
Source: C:\Users\user\Desktop\New Order59687900898987.exe File created: C:\Users\user\AppData\Roaming\afsatsen Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe File created: C:\Users\user\AppData\Local\Temp\nss285C.tmp Jump to behavior
Source: New Order59687900898987.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\New Order59687900898987.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: New Order59687900898987.exe Virustotal: Detection: 45%
Source: New Order59687900898987.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\Desktop\New Order59687900898987.exe File read: C:\Users\user\Desktop\New Order59687900898987.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\New Order59687900898987.exe "C:\Users\user\Desktop\New Order59687900898987.exe"
Source: C:\Users\user\Desktop\New Order59687900898987.exe Process created: C:\Users\user\Desktop\New Order59687900898987.exe "C:\Users\user\Desktop\New Order59687900898987.exe"
Source: C:\Users\user\Desktop\New Order59687900898987.exe Process created: C:\Users\user\Desktop\New Order59687900898987.exe "C:\Users\user\Desktop\New Order59687900898987.exe" Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe File written: C:\Users\user\AppData\Roaming\afsatsen\livssynets\manipulerings\Nstnederste.ini Jump to behavior
Source: New Order59687900898987.exe Static file information: File size 1209816 > 1048576
Source: New Order59687900898987.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

barindex
Source: Yara match File source: 00000000.00000002.2439063530.0000000004FA5000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3641591448.0000000003635000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: C:\Users\user\Desktop\New Order59687900898987.exe Code function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 0_2_10001A5D
Source: C:\Users\user\Desktop\New Order59687900898987.exe Code function: 0_2_10002D20 push eax; ret 0_2_10002D4E

Persistence and Installation Behavior

barindex
Source: Initial sample Joe Sandbox AI: Detected suspicious elements in PE signature: Multiple highly suspicious indicators: 1) Self-signed certificate (issuer same as subject) which is not trusted by system providers 2) Organization 'jammeren' is not a known legitimate company 3) Email domain 'Iblandingers.Rep' is highly suspicious - not a real TLD and appears randomly generated 4) Large time gap between compilation date (2017) and certificate creation (2024) suggests possible certificate manipulation 5) Certificate signature is explicitly marked as invalid by the system 6) While location is listed as US/Florida, the organization name and email domain appear deliberately deceptive. The combination of a self-signed certificate, invalid signature, suspicious organization details and unusual email domain strongly suggests this is a malicious attempt to appear legitimate.
Source: C:\Users\user\Desktop\New Order59687900898987.exe File created: C:\Users\user\AppData\Local\Temp\nsj2D4F.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\New Order59687900898987.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\New Order59687900898987.exe API/Special instruction interceptor: Address: 578B493
Source: C:\Users\user\Desktop\New Order59687900898987.exe API/Special instruction interceptor: Address: 3E1B493
Source: C:\Users\user\Desktop\New Order59687900898987.exe RDTSC instruction interceptor: First address: 575D92B second address: 575D92B instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FDEFCEE732Ah 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\New Order59687900898987.exe RDTSC instruction interceptor: First address: 3DED92B second address: 3DED92B instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FDEFCC561AAh 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\New Order59687900898987.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsj2D4F.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\New Order59687900898987.exe TID: 2084 Thread sleep time: -160000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\New Order59687900898987.exe Code function: 0_2_00405861 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_00405861
Source: C:\Users\user\Desktop\New Order59687900898987.exe Code function: 0_2_0040639C FindFirstFileA,FindClose, 0_2_0040639C
Source: C:\Users\user\Desktop\New Order59687900898987.exe Code function: 0_2_004026F8 FindFirstFileA, 0_2_004026F8
Source: C:\Users\user\Desktop\New Order59687900898987.exe Code function: 12_2_00405861 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 12_2_00405861
Source: C:\Users\user\Desktop\New Order59687900898987.exe Code function: 12_2_004026F8 FindFirstFileA, 12_2_004026F8
Source: C:\Users\user\Desktop\New Order59687900898987.exe Code function: 12_2_0040639C FindFirstFileA,FindClose, 12_2_0040639C
Source: C:\Users\user\Desktop\New Order59687900898987.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: New Order59687900898987.exe Binary or memory string: 2uVMCi
Source: New Order59687900898987.exe, 0000000C.00000002.3645990114.0000000005B48000.00000004.00000020.00020000.00000000.sdmp, New Order59687900898987.exe, 0000000C.00000002.3645990114.0000000005B9E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\New Order59687900898987.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\New Order59687900898987.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\New Order59687900898987.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Code function: 0_2_004023D0 lstrlenA,LdrInitializeThunk,RegSetValueExA,RegCloseKey, 0_2_004023D0
Source: C:\Users\user\Desktop\New Order59687900898987.exe Code function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 0_2_10001A5D
Source: C:\Users\user\Desktop\New Order59687900898987.exe Process created: C:\Users\user\Desktop\New Order59687900898987.exe "C:\Users\user\Desktop\New Order59687900898987.exe" Jump to behavior
Source: C:\Users\user\Desktop\New Order59687900898987.exe Code function: 0_2_0040330D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040330D