Analysis Report factura.exe

Overview

General Information

Sample Name:	factura.exe
Analysis ID:	384277
MD5:	5950cbe94b3b5dedbf7b75fa1b95ac84
SHA1:	797bb1231483bb11279f6e63fbb5d675bda58f2a
SHA256:	73f2aa87dad06704e8bbd41fb7449a987dc089160a12ba5e13d7d7f6f4196a4f
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Potential malicious icon found

Yara detected GuLoader

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Contains functionality to hide a thread from the debugger

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found potential dummy code loops (likely to delay analysis)

Hides threads from debuggers

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Detected potential crypto function

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: factura.exe	Virustotal: Detection: 49%	Perma Link
Source: factura.exe	Metadefender: Detection: 27%	Perma Link
Source: factura.exe	ReversingLabs: Detection: 45%

Compliance:

Uses 32bit PE files

Source: factura.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 15_2_00C035C9 InternetReadFile,

15_2_00C035C9

Source: RegAsm.exe, 0000000F.00000002.1031916338.00000000010B0000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: RegAsm.exe, 0000000F.00000002.1031916338.00000000010B0000.00000004.00000020.sdmp	String found in binary or memory: http://pki.g
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: RegAsm.exe, 0000000F.00000002.1031878163.000000000105B000.00000004.00000020.sdmp, RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp, RegAsm.exe, 0000000F.00000002.1031906231.00000000010A0000.00000004.00000020.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: RegAsm.exe, 0000000F.00000002.1031906231.00000000010A0000.00000004.00000020.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/dU
Source: RegAsm.exe, 0000000F.00000002.1031878163.000000000105B000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/
Source: RegAsm.exe, 0000000F.00000002.1031916338.00000000010B0000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/A
Source: RegAsm.exe, 0000000F.00000002.1031878163.000000000105B000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/Mw#
Source: RegAsm.exe, 0000000F.00000002.1031916338.00000000010B0000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/S
Source: RegAsm.exe, 0000000F.00000002.1031916338.00000000010B0000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/s
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbe
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbe4J
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbe8J
Source: RegAsm.exe, 0000000F.00000002.1031878163.000000000105B000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbeOj
Source: RegAsm.exe, 0000000F.00000002.1031878163.000000000105B000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbeWJ
Source: RegAsm.exe, 0000000F.00000002.1031687205.0000000000C00000.00000040.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbef
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbehJ
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbepJ
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbewmBbjvsikSdqvbetubek
Source: RegAsm.exe, 0000000F.00000002.1031878163.000000000105B000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbeyJ
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: https://pki.goog/repository/0

System Summary:

Potential malicious icon found

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\factura.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_00C001DE EnumWindows,NtSetInformationThread,	15_2_00C001DE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_00C031B1 NtProtectVirtualMemory,	15_2_00C031B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_00C00219 NtSetInformationThread,	15_2_00C00219
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_00C0352C NtProtectVirtualMemory,	15_2_00C0352C

Detected potential crypto function

Source: C:\Users\user\Desktop\factura.exe

Code function: 0_2_0040169C

0_2_0040169C

PE file contains strange resources

Source: factura.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: factura.exe, 00000000.00000002.1021965132.0000000002230000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamekvalifikationen.exeFE2XCollutionsCollutions vs factura.exe
Source: factura.exe, 00000000.00000002.1021965132.0000000002230000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamekvalifikationen.exeFE2XCollutions vs factura.exe
Source: factura.exe, 00000000.00000002.1021965132.0000000002230000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamekvalifikationen.exeFE2XCollutions( vs factura.exe
Source: factura.exe, 00000000.00000002.1021965132.0000000002230000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamekvalifikationen.exeFE2XCollutionsW vs factura.exe
Source: factura.exe, 00000000.00000000.637238818.000000000040E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamekvalifikationen.exe vs factura.exe
Source: factura.exe, 00000000.00000002.1021928094.00000000021E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs factura.exe
Source: factura.exe	Binary or memory string: OriginalFilenamekvalifikationen.exe vs factura.exe

Tries to load missing DLLs

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Section loaded: sfc.dll

Jump to behavior

Uses 32bit PE files

Source: factura.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@4/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5392:120:WilError_01

Source: factura.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\factura.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\factura.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: factura.exe	Virustotal: Detection: 49%
Source: factura.exe	Metadefender: Detection: 27%
Source: factura.exe	ReversingLabs: Detection: 45%

Source: unknown	Process created: C:\Users\user\Desktop\factura.exe 'C:\Users\user\Desktop\factura.exe'
Source: C:\Users\user\Desktop\factura.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\factura.exe'
Source: C:\Users\user\Desktop\factura.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\factura.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: 0000000F.00000002.1031687205.0000000000C00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5388, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\factura.exe	Code function: 0_2_00403542 push ebx; ret	0_2_00403557
Source: C:\Users\user\Desktop\factura.exe	Code function: 0_2_0040657D push FFFFFFC2h; iretd	0_2_004065A9
Source: C:\Users\user\Desktop\factura.exe	Code function: 0_2_004065AB push FFFFFFC2h; iretd	0_2_004065A9
Source: C:\Users\user\Desktop\factura.exe	Code function: 0_2_00403E6A pushad ; ret	0_2_00403E6B
Source: C:\Users\user\Desktop\factura.exe	Code function: 0_2_00401E38 push esp; retf 0040h	0_2_00401E39
Source: C:\Users\user\Desktop\factura.exe	Code function: 0_2_00403ED0 push esp; retf	0_2_00403EDA
Source: C:\Users\user\Desktop\factura.exe	Code function: 0_2_00403E90 push esp; retf	0_2_00403EDA
Source: C:\Users\user\Desktop\factura.exe	Code function: 0_2_00403F18 push esp; retf	0_2_00403EDA

Source: C:\Users\user\Desktop\factura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\factura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\factura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\factura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\factura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 15_2_00C00AE8 LoadLibraryA,

15_2_00C00AE8

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\factura.exe

RDTSC instruction interceptor: First address: 0000000000411A41 second address: 0000000000411A41 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F99E4842F68h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 dec ecx 0x00000021 cmp ecx, 00000000h 0x00000024 jne 00007F99E4842F51h 0x00000026 cmp ah, dh 0x00000028 push ecx 0x00000029 call 00007F99E4842F79h 0x0000002e call 00007F99E4842F78h 0x00000033 lfence 0x00000036 mov edx, dword ptr [7FFE0014h] 0x0000003c lfence 0x0000003f ret 0x00000040 mov esi, edx 0x00000042 pushad 0x00000043 rdtsc

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Evasive API call chain: GetPEB, DecisionNodes, Sleep

Tries to detect Any.run

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegAsm.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\factura.exe	RDTSC instruction interceptor: First address: 0000000000412C6A second address: 0000000000412C0B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b retn 0004h 0x0000000e cmp edx, dword ptr [esp+04h] 0x00000012 jne 00007F99E4842F34h 0x00000014 cmp edx, edx 0x00000016 mov eax, dword ptr [eax] 0x00000018 pushad 0x00000019 lfence 0x0000001c rdtsc
Source: C:\Users\user\Desktop\factura.exe	RDTSC instruction interceptor: First address: 0000000000412B18 second address: 0000000000412A79 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov esi, dword ptr [ebp+14h] 0x0000000e add esi, dword ptr [ebp+04h] 0x00000011 mov esi, dword ptr [esi+eax*4] 0x00000014 add esi, dword ptr [ebp+04h] 0x00000017 mov dword ptr [ebp+08h], esi 0x0000001a retn 0004h 0x0000001d pushad 0x0000001e lfence 0x00000021 rdtsc
Source: C:\Users\user\Desktop\factura.exe	RDTSC instruction interceptor: First address: 0000000000411A41 second address: 0000000000411A41 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F99E4842F68h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 dec ecx 0x00000021 cmp ecx, 00000000h 0x00000024 jne 00007F99E4842F51h 0x00000026 cmp ah, dh 0x00000028 push ecx 0x00000029 call 00007F99E4842F79h 0x0000002e call 00007F99E4842F78h 0x00000033 lfence 0x00000036 mov edx, dword ptr [7FFE0014h] 0x0000003c lfence 0x0000003f ret 0x00000040 mov esi, edx 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\factura.exe	RDTSC instruction interceptor: First address: 0000000000411B03 second address: 0000000000411B03 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F99E4D9C4AAh 0x0000001d popad 0x0000001e call 00007F99E4D9B20Bh 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\factura.exe	RDTSC instruction interceptor: First address: 0000000000412BA9 second address: 0000000000412BA9 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push dword ptr [eax+ecx] 0x0000000e pop dword ptr [ebx+ecx] 0x00000011 cmp bx, ax 0x00000014 test cx, 1B46h 0x00000019 inc ecx 0x0000001a inc ecx 0x0000001b inc ecx 0x0000001c inc ecx 0x0000001d cmp dl, bl 0x0000001f cmp ecx, 18h 0x00000022 jne 00007F99E4842F38h 0x00000024 cmp edx, edx 0x00000026 pushad 0x00000027 lfence 0x0000002a rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000C02C6A second address: 0000000000C02C0B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b retn 0004h 0x0000000e cmp edx, dword ptr [esp+04h] 0x00000012 jne 00007F99E4D9B1C4h 0x00000014 cmp edx, edx 0x00000016 mov eax, dword ptr [eax] 0x00000018 pushad 0x00000019 lfence 0x0000001c rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000C02B18 second address: 0000000000C02A79 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov esi, dword ptr [ebp+14h] 0x0000000e add esi, dword ptr [ebp+04h] 0x00000011 mov esi, dword ptr [esi+eax*4] 0x00000014 add esi, dword ptr [ebp+04h] 0x00000017 mov dword ptr [ebp+08h], esi 0x0000001a retn 0004h 0x0000001d pushad 0x0000001e lfence 0x00000021 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000C01B03 second address: 0000000000C01B03 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F99E4D9C4AAh 0x0000001d popad 0x0000001e call 00007F99E4D9B20Bh 0x00000023 lfence 0x00000026 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 15_2_00C02A2C rdtsc

15_2_00C02A2C

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5448

Thread sleep time: -40000s >= -30000s

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: RegAsm.exe, 0000000F.00000002.1031878163.000000000105B000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWX
Source: RegAsm.exe, 0000000F.00000002.1031916338.00000000010B0000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: RegAsm.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: RegAsm.exe, 0000000F.00000002.1031916338.00000000010B0000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWMA=v

Anti Debugging:

Contains functionality to hide a thread from the debugger

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 15_2_00C001DE NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000

15_2_00C001DE

Found potential dummy code loops (likely to delay analysis)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process Stats: CPU usage > 90% for more than 60s

Hides threads from debuggers

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Thread information set: HideFromDebugger

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process queried: DebugPort

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 15_2_00C02A2C rdtsc

15_2_00C02A2C

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 15_2_00C01D57 LdrInitializeThunk,

15_2_00C01D57

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_00C00AE8 mov eax, dword ptr fs:[00000030h]	15_2_00C00AE8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_00C00E25 mov eax, dword ptr fs:[00000030h]	15_2_00C00E25
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_00C00FE2 mov eax, dword ptr fs:[00000030h]	15_2_00C00FE2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_00C02BEE mov eax, dword ptr fs:[00000030h]	15_2_00C02BEE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_00C01996 mov eax, dword ptr fs:[00000030h]	15_2_00C01996
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_00C029BD mov eax, dword ptr fs:[00000030h]	15_2_00C029BD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_00C02F5D mov eax, dword ptr fs:[00000030h]	15_2_00C02F5D

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: RegAsm.exe, 0000000F.00000002.1031956172.00000000014E0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: RegAsm.exe, 0000000F.00000002.1031956172.00000000014E0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 0000000F.00000002.1031956172.00000000014E0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegAsm.exe, 0000000F.00000002.1031956172.00000000014E0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

AV Detection:

Multi AV Scanner detection for submitted file

Source: factura.exe	Virustotal: Detection: 49%	Perma Link
Source: factura.exe	Metadefender: Detection: 27%	Perma Link
Source: factura.exe	ReversingLabs: Detection: 45%

Compliance:

Uses 32bit PE files

Source: factura.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 15_2_00C035C9 InternetReadFile,

15_2_00C035C9

Source: RegAsm.exe, 0000000F.00000002.1031916338.00000000010B0000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: RegAsm.exe, 0000000F.00000002.1031916338.00000000010B0000.00000004.00000020.sdmp	String found in binary or memory: http://pki.g
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: RegAsm.exe, 0000000F.00000002.1031878163.000000000105B000.00000004.00000020.sdmp, RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp, RegAsm.exe, 0000000F.00000002.1031906231.00000000010A0000.00000004.00000020.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: RegAsm.exe, 0000000F.00000002.1031906231.00000000010A0000.00000004.00000020.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/dU
Source: RegAsm.exe, 0000000F.00000002.1031878163.000000000105B000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/
Source: RegAsm.exe, 0000000F.00000002.1031916338.00000000010B0000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/A
Source: RegAsm.exe, 0000000F.00000002.1031878163.000000000105B000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/Mw#
Source: RegAsm.exe, 0000000F.00000002.1031916338.00000000010B0000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/S
Source: RegAsm.exe, 0000000F.00000002.1031916338.00000000010B0000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/s
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbe
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbe4J
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbe8J
Source: RegAsm.exe, 0000000F.00000002.1031878163.000000000105B000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbeOj
Source: RegAsm.exe, 0000000F.00000002.1031878163.000000000105B000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbeWJ
Source: RegAsm.exe, 0000000F.00000002.1031687205.0000000000C00000.00000040.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbef
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbehJ
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbepJ
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbewmBbjvsikSdqvbetubek
Source: RegAsm.exe, 0000000F.00000002.1031878163.000000000105B000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbeyJ
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: https://pki.goog/repository/0

System Summary:

Potential malicious icon found

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\factura.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_00C001DE EnumWindows,NtSetInformationThread,	15_2_00C001DE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_00C031B1 NtProtectVirtualMemory,	15_2_00C031B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_00C00219 NtSetInformationThread,	15_2_00C00219
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_00C0352C NtProtectVirtualMemory,	15_2_00C0352C

Detected potential crypto function

Source: C:\Users\user\Desktop\factura.exe

Code function: 0_2_0040169C

0_2_0040169C

PE file contains strange resources

Source: factura.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: factura.exe, 00000000.00000002.1021965132.0000000002230000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamekvalifikationen.exeFE2XCollutionsCollutions vs factura.exe
Source: factura.exe, 00000000.00000002.1021965132.0000000002230000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamekvalifikationen.exeFE2XCollutions vs factura.exe
Source: factura.exe, 00000000.00000002.1021965132.0000000002230000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamekvalifikationen.exeFE2XCollutions( vs factura.exe
Source: factura.exe, 00000000.00000002.1021965132.0000000002230000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamekvalifikationen.exeFE2XCollutionsW vs factura.exe
Source: factura.exe, 00000000.00000000.637238818.000000000040E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamekvalifikationen.exe vs factura.exe
Source: factura.exe, 00000000.00000002.1021928094.00000000021E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs factura.exe
Source: factura.exe	Binary or memory string: OriginalFilenamekvalifikationen.exe vs factura.exe

Tries to load missing DLLs

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Section loaded: sfc.dll

Jump to behavior

Uses 32bit PE files

Source: factura.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@4/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5392:120:WilError_01

Source: factura.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\factura.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\factura.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: factura.exe	Virustotal: Detection: 49%
Source: factura.exe	Metadefender: Detection: 27%
Source: factura.exe	ReversingLabs: Detection: 45%

Source: unknown	Process created: C:\Users\user\Desktop\factura.exe 'C:\Users\user\Desktop\factura.exe'
Source: C:\Users\user\Desktop\factura.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\factura.exe'
Source: C:\Users\user\Desktop\factura.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\factura.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: 0000000F.00000002.1031687205.0000000000C00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5388, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\factura.exe	Code function: 0_2_00403542 push ebx; ret	0_2_00403557
Source: C:\Users\user\Desktop\factura.exe	Code function: 0_2_0040657D push FFFFFFC2h; iretd	0_2_004065A9
Source: C:\Users\user\Desktop\factura.exe	Code function: 0_2_004065AB push FFFFFFC2h; iretd	0_2_004065A9
Source: C:\Users\user\Desktop\factura.exe	Code function: 0_2_00403E6A pushad ; ret	0_2_00403E6B
Source: C:\Users\user\Desktop\factura.exe	Code function: 0_2_00401E38 push esp; retf 0040h	0_2_00401E39
Source: C:\Users\user\Desktop\factura.exe	Code function: 0_2_00403ED0 push esp; retf	0_2_00403EDA
Source: C:\Users\user\Desktop\factura.exe	Code function: 0_2_00403E90 push esp; retf	0_2_00403EDA
Source: C:\Users\user\Desktop\factura.exe	Code function: 0_2_00403F18 push esp; retf	0_2_00403EDA

Source: C:\Users\user\Desktop\factura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\factura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\factura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\factura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\factura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 15_2_00C00AE8 LoadLibraryA,

15_2_00C00AE8

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\factura.exe

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Evasive API call chain: GetPEB, DecisionNodes, Sleep

Tries to detect Any.run

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegAsm.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\factura.exe	RDTSC instruction interceptor: First address: 0000000000412C6A second address: 0000000000412C0B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b retn 0004h 0x0000000e cmp edx, dword ptr [esp+04h] 0x00000012 jne 00007F99E4842F34h 0x00000014 cmp edx, edx 0x00000016 mov eax, dword ptr [eax] 0x00000018 pushad 0x00000019 lfence 0x0000001c rdtsc
Source: C:\Users\user\Desktop\factura.exe	RDTSC instruction interceptor: First address: 0000000000412B18 second address: 0000000000412A79 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov esi, dword ptr [ebp+14h] 0x0000000e add esi, dword ptr [ebp+04h] 0x00000011 mov esi, dword ptr [esi+eax*4] 0x00000014 add esi, dword ptr [ebp+04h] 0x00000017 mov dword ptr [ebp+08h], esi 0x0000001a retn 0004h 0x0000001d pushad 0x0000001e lfence 0x00000021 rdtsc
Source: C:\Users\user\Desktop\factura.exe	RDTSC instruction interceptor: First address: 0000000000411A41 second address: 0000000000411A41 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F99E4842F68h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 dec ecx 0x00000021 cmp ecx, 00000000h 0x00000024 jne 00007F99E4842F51h 0x00000026 cmp ah, dh 0x00000028 push ecx 0x00000029 call 00007F99E4842F79h 0x0000002e call 00007F99E4842F78h 0x00000033 lfence 0x00000036 mov edx, dword ptr [7FFE0014h] 0x0000003c lfence 0x0000003f ret 0x00000040 mov esi, edx 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\factura.exe	RDTSC instruction interceptor: First address: 0000000000411B03 second address: 0000000000411B03 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F99E4D9C4AAh 0x0000001d popad 0x0000001e call 00007F99E4D9B20Bh 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\factura.exe	RDTSC instruction interceptor: First address: 0000000000412BA9 second address: 0000000000412BA9 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push dword ptr [eax+ecx] 0x0000000e pop dword ptr [ebx+ecx] 0x00000011 cmp bx, ax 0x00000014 test cx, 1B46h 0x00000019 inc ecx 0x0000001a inc ecx 0x0000001b inc ecx 0x0000001c inc ecx 0x0000001d cmp dl, bl 0x0000001f cmp ecx, 18h 0x00000022 jne 00007F99E4842F38h 0x00000024 cmp edx, edx 0x00000026 pushad 0x00000027 lfence 0x0000002a rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000C02C6A second address: 0000000000C02C0B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b retn 0004h 0x0000000e cmp edx, dword ptr [esp+04h] 0x00000012 jne 00007F99E4D9B1C4h 0x00000014 cmp edx, edx 0x00000016 mov eax, dword ptr [eax] 0x00000018 pushad 0x00000019 lfence 0x0000001c rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000C02B18 second address: 0000000000C02A79 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov esi, dword ptr [ebp+14h] 0x0000000e add esi, dword ptr [ebp+04h] 0x00000011 mov esi, dword ptr [esi+eax*4] 0x00000014 add esi, dword ptr [ebp+04h] 0x00000017 mov dword ptr [ebp+08h], esi 0x0000001a retn 0004h 0x0000001d pushad 0x0000001e lfence 0x00000021 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000C01B03 second address: 0000000000C01B03 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F99E4D9C4AAh 0x0000001d popad 0x0000001e call 00007F99E4D9B20Bh 0x00000023 lfence 0x00000026 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 15_2_00C02A2C rdtsc

15_2_00C02A2C

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5448

Thread sleep time: -40000s >= -30000s

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: RegAsm.exe, 0000000F.00000002.1031878163.000000000105B000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWX
Source: RegAsm.exe, 0000000F.00000002.1031916338.00000000010B0000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: RegAsm.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: RegAsm.exe, 0000000F.00000002.1031916338.00000000010B0000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWMA=v

Anti Debugging:

Contains functionality to hide a thread from the debugger

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 15_2_00C001DE NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000

15_2_00C001DE

Found potential dummy code loops (likely to delay analysis)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process Stats: CPU usage > 90% for more than 60s

Hides threads from debuggers

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Thread information set: HideFromDebugger

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process queried: DebugPort

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 15_2_00C02A2C rdtsc

15_2_00C02A2C

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 15_2_00C01D57 LdrInitializeThunk,

15_2_00C01D57

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_00C00AE8 mov eax, dword ptr fs:[00000030h]	15_2_00C00AE8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_00C00E25 mov eax, dword ptr fs:[00000030h]	15_2_00C00E25
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_00C00FE2 mov eax, dword ptr fs:[00000030h]	15_2_00C00FE2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_00C02BEE mov eax, dword ptr fs:[00000030h]	15_2_00C02BEE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_00C01996 mov eax, dword ptr fs:[00000030h]	15_2_00C01996
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_00C029BD mov eax, dword ptr fs:[00000030h]	15_2_00C029BD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_00C02F5D mov eax, dword ptr fs:[00000030h]	15_2_00C02F5D

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: RegAsm.exe, 0000000F.00000002.1031956172.00000000014E0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: RegAsm.exe, 0000000F.00000002.1031956172.00000000014E0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 0000000F.00000002.1031956172.00000000014E0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegAsm.exe, 0000000F.00000002.1031956172.00000000014E0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

ID:	384277
Product:	CloudBasic
Start time:	20:43:47
Start date:	08.04.2021
Sample:	factura.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	5950cbe94b3b5dedbf7b75fa1b95ac84
SHA1:	797bb1231483bb11279f6e63fbb5d675bda58f2a
SHA256:	73f2aa87dad06704e8bbd41fb7449a987dc089160a12ba5e13d7d7f6f4196a4f
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Analysis Report factura.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map