Windows Analysis Report KHAWATMI CO.IMPORT & EXPORT.exe

Overview

General Information

Sample Name:	KHAWATMI CO.IMPORT & EXPORT.exe
Analysis ID:	458277
MD5:	0153ae8cf4b1f546721332b5cb3f973c
SHA1:	479858ef740172cb3791527a9c9d0da76eec3af4
SHA256:	97fee7e2c533d7ad3854cd92d9d2dbcddeb3b08e3e0cb14214b431d3970cda45
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

GuLoader behavior detected

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Hides threads from debuggers

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000000.00000002.583437179.0000000003BD0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?cid=7B0580AA0B18AE"}

Multi AV Scanner detection for submitted file

Source: KHAWATMI CO.IMPORT & EXPORT.exe

ReversingLabs: Detection: 13%

Compliance:

Uses 32bit PE files

Source: KHAWATMI CO.IMPORT & EXPORT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://onedrive.live.com/download?cid=7B0580AA0B18AE

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Code function: 0_2_004028B8 GetAsyncKeyState,

0_2_004028B8

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BDA932 NtWriteVirtualMemory,LoadLibraryA,NtProtectVirtualMemory,	0_2_03BDA932
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD611B NtWriteVirtualMemory,	0_2_03BD611B
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD66C6 NtAllocateVirtualMemory,	0_2_03BD66C6
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD57AF NtWriteVirtualMemory,	0_2_03BD57AF
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD6795 NtAllocateVirtualMemory,	0_2_03BD6795
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9D8D NtWriteVirtualMemory,	0_2_03BD9D8D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD6BFE NtWriteVirtualMemory,	0_2_03BD6BFE
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD4DF2 NtWriteVirtualMemory,	0_2_03BD4DF2
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD0BEC NtWriteVirtualMemory,	0_2_03BD0BEC
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD53E5 NtWriteVirtualMemory,	0_2_03BD53E5
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD45CD NtWriteVirtualMemory,	0_2_03BD45CD
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD51C1 NtWriteVirtualMemory,	0_2_03BD51C1
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD5B03 NtWriteVirtualMemory,	0_2_03BD5B03
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD4F79 NtWriteVirtualMemory,	0_2_03BD4F79
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD556D NtWriteVirtualMemory,	0_2_03BD556D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD5B65 NtWriteVirtualMemory,	0_2_03BD5B65
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD5681 NtWriteVirtualMemory,	0_2_03BD5681
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BDB4F9 NtWriteVirtualMemory,	0_2_03BDB4F9
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD26E7 NtWriteVirtualMemory,	0_2_03BD26E7
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD4CD1 NtWriteVirtualMemory,	0_2_03BD4CD1
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD58CD NtWriteVirtualMemory,	0_2_03BD58CD
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD52C9 NtWriteVirtualMemory,	0_2_03BD52C9
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD5A25 NtWriteVirtualMemory,	0_2_03BD5A25
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD347D NtWriteVirtualMemory,	0_2_03BD347D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD547B NtWriteVirtualMemory,	0_2_03BD547B
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD5072 NtWriteVirtualMemory,	0_2_03BD5072

Detected potential crypto function

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BDB3EA	0_2_03BDB3EA
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BDADC1	0_2_03BDADC1
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD0F36	0_2_03BD0F36
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BDA932	0_2_03BDA932
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD611B	0_2_03BD611B
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD0680	0_2_03BD0680
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD66C6	0_2_03BD66C6
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD97B7	0_2_03BD97B7
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD45B3	0_2_03BD45B3
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD57AF	0_2_03BD57AF
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD49AE	0_2_03BD49AE
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BDAFA5	0_2_03BDAFA5
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD17A1	0_2_03BD17A1
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9D8D	0_2_03BD9D8D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BDA18A	0_2_03BDA18A
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD6BFE	0_2_03BD6BFE
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD23F9	0_2_03BD23F9
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD35F9	0_2_03BD35F9
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD11F5	0_2_03BD11F5
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD4DF2	0_2_03BD4DF2
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9FF2	0_2_03BD9FF2
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD0BEC	0_2_03BD0BEC
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9FEC	0_2_03BD9FEC
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD53E5	0_2_03BD53E5
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD63E6	0_2_03BD63E6
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9FD4	0_2_03BD9FD4
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD07D1	0_2_03BD07D1
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD45CD	0_2_03BD45CD
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BDADCD	0_2_03BDADCD
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BDB1CF	0_2_03BDB1CF
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9FCE	0_2_03BD9FCE
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD51C1	0_2_03BD51C1
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9D39	0_2_03BD9D39
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9F3A	0_2_03BD9F3A
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD972D	0_2_03BD972D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9529	0_2_03BD9529
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BDAF29	0_2_03BDAF29
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD6D27	0_2_03BD6D27
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD311C	0_2_03BD311C
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD2B1E	0_2_03BD2B1E
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD131A	0_2_03BD131A
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD1107	0_2_03BD1107
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD5B03	0_2_03BD5B03
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD317D	0_2_03BD317D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD8F7D	0_2_03BD8F7D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD2F7E	0_2_03BD2F7E
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD4F79	0_2_03BD4F79
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD0F77	0_2_03BD0F77
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD556D	0_2_03BD556D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD0361	0_2_03BD0361
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD415D	0_2_03BD415D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD0F51	0_2_03BD0F51
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD3951	0_2_03BD3951
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD374E	0_2_03BD374E
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD1546	0_2_03BD1546
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BDAEBB	0_2_03BDAEBB
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BDB6B4	0_2_03BDB6B4
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BDB091	0_2_03BDB091
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD5681	0_2_03BD5681
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BDB4F9	0_2_03BDB4F9
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD08E5	0_2_03BD08E5
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD26E7	0_2_03BD26E7
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD94E6	0_2_03BD94E6
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD1EE2	0_2_03BD1EE2
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD40DC	0_2_03BD40DC
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD4CD1	0_2_03BD4CD1
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD34D3	0_2_03BD34D3
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD58CD	0_2_03BD58CD
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD52C9	0_2_03BD52C9
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD8C3C	0_2_03BD8C3C
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD303F	0_2_03BD303F
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BDB036	0_2_03BDB036
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD5A25	0_2_03BD5A25
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD3827	0_2_03BD3827
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD141F	0_2_03BD141F
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD6C1E	0_2_03BD6C1E
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD347D	0_2_03BD347D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD547B	0_2_03BD547B
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9E75	0_2_03BD9E75
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD5072	0_2_03BD5072
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD1665	0_2_03BD1665
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BDAE57	0_2_03BDAE57
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD964D	0_2_03BD964D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 31_2_0056415D	31_2_0056415D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 31_2_00564642	31_2_00564642
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 31_2_005649AE	31_2_005649AE

Sample file is different than original file name gathered from version info

Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000000.00000002.581529736.0000000000424000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameTolip.exe vs KHAWATMI CO.IMPORT & EXPORT.exe
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000000.00000002.582107830.0000000002120000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs KHAWATMI CO.IMPORT & EXPORT.exe
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 0000001F.00000000.580610712.0000000000424000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameTolip.exe vs KHAWATMI CO.IMPORT & EXPORT.exe
Source: KHAWATMI CO.IMPORT & EXPORT.exe	Binary or memory string: OriginalFilenameTolip.exe vs KHAWATMI CO.IMPORT & EXPORT.exe

Uses 32bit PE files

Source: KHAWATMI CO.IMPORT & EXPORT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/0@0/0

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

File created: C:\Users\user\AppData\Local\Temp\~DF07B0F7EB0D7FE374.TMP

Jump to behavior

Source: KHAWATMI CO.IMPORT & EXPORT.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

File read: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: KHAWATMI CO.IMPORT & EXPORT.exe

ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe 'C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe'
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process created: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe 'C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe'
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process created: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe 'C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe'	Jump to behavior

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4a04656d-52aa-49de-8a09-cb178760e748}\InProcServer32

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.583437179.0000000003BD0000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_00407A2B push esp; retf	0_2_00407A2C
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD636D push ebp; ret	0_2_03BD63AB
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD0005 push esi; iretd	0_2_03BD001D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD0062 push esi; iretd	0_2_03BD008F
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 31_2_00562A54 push ds; ret	31_2_00562A5E
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 31_2_0056374B push edi; ret	31_2_0056374D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 31_2_00561C76 push ds; ret	31_2_00561C8A
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 31_2_00562501 push ds; retf	31_2_0056252A
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 31_2_00563335 push ds; retf	31_2_00563356
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 31_2_00561F30 push ds; retf	31_2_00561F36
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 31_2_0056282F push ds; retf	31_2_005628CE
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 31_2_005608D7 push edx; iretd	31_2_005608D8
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 31_2_005610C8 push ds; retf	31_2_005610D6
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 31_2_005629FA push ds; retf	31_2_005629FE
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 31_2_0056289C push ds; retf	31_2_005628CE
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 31_2_0056379D push ds; retf	31_2_005637AA
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 31_2_00561984 push ds; ret	31_2_005619A6
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 31_2_005625BA push ds; ret	31_2_005625C6

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD0F36 TerminateProcess,LoadLibraryA,	0_2_03BD0F36
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9D8D NtWriteVirtualMemory,	0_2_03BD9D8D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BDA18A	0_2_03BDA18A
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD35F9	0_2_03BD35F9
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD11F5 TerminateProcess,	0_2_03BD11F5
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9FF2	0_2_03BD9FF2
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD0BEC NtWriteVirtualMemory,	0_2_03BD0BEC
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9FEC	0_2_03BD9FEC
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9FD4	0_2_03BD9FD4
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9FCE	0_2_03BD9FCE
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9D39	0_2_03BD9D39
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9F3A	0_2_03BD9F3A
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD2B1E	0_2_03BD2B1E
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD131A TerminateProcess,	0_2_03BD131A
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD1107 TerminateProcess,	0_2_03BD1107
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD8F7D	0_2_03BD8F7D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD0F77 TerminateProcess,	0_2_03BD0F77
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD0F51 TerminateProcess,	0_2_03BD0F51
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD374E	0_2_03BD374E
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD1546 TerminateProcess,	0_2_03BD1546
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD34D3	0_2_03BD34D3
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD3827	0_2_03BD3827
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD141F TerminateProcess,	0_2_03BD141F
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD347D NtWriteVirtualMemory,	0_2_03BD347D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9E75	0_2_03BD9E75

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 0000000003BD9586 second address: 0000000003BD9586 instructions:
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 0000000003BDB185 second address: 0000000003BDB185 instructions:
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 0000000003BD62DB second address: 0000000003BD62DB instructions:
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 0000000003BDA3AE second address: 0000000003BDA247 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov dword ptr [ebp+000001A5h], edx 0x00000010 cmp cx, ax 0x00000013 mov edx, F94DAB62h 0x00000018 xor edx, BD1A4B48h 0x0000001e xor edx, C6B15F47h 0x00000024 jmp 00007F1B0CAFAC52h 0x00000026 cmp si, 0F1Bh 0x0000002b sub edx, 82E5DE6Eh 0x00000031 cmp ah, bh 0x00000033 cmp word ptr [ebx+05h], dx 0x00000037 mov edx, dword ptr [ebp+000001A5h] 0x0000003d jne 00007F1B0CAFAC2Ch 0x0000003f mov dword ptr [ebp+00000189h], ecx 0x00000045 mov ecx, CF26FC6Ch 0x0000004a xor ecx, 90037EF2h 0x00000050 test ax, dx 0x00000053 add ecx, B269DCB6h 0x00000059 cmp cl, al 0x0000005b add ecx, EE70C0ACh 0x00000061 nop 0x00000062 cmp dword ptr [ebp+00000189h], ecx 0x00000068 mov ecx, dword ptr [ebp+00000189h] 0x0000006e jne 00007F1B0CAFA884h 0x00000074 inc ecx 0x00000075 inc ebx 0x00000076 mov dword ptr [ebp+0000017Dh], ecx 0x0000007c mov ecx, 3E44CBEFh 0x00000081 xor ecx, B436F885h 0x00000087 add ecx, 0943E9D7h 0x0000008d xor ecx, 0326DE11h 0x00000093 test bl, FFFFFFE4h 0x00000096 cmp dword ptr [ebx], ecx 0x00000098 mov ecx, dword ptr [ebp+0000017Dh] 0x0000009e jne 00007F1B0CAFAC86h 0x000000a4 mov dword ptr [ebp+00000171h], edi 0x000000aa mov edi, dword ptr [ebx] 0x000000ac cmp edx, edi 0x000000ae mov edi, dword ptr [ebp+00000171h] 0x000000b4 jne 00007F1B0CAFAC08h 0x000000b6 mov dword ptr [ebp+0000022Eh], eax 0x000000bc test ax, cx 0x000000bf mov eax, 90506750h 0x000000c4 test bx, bx 0x000000c7 pushad 0x000000c8 lfence 0x000000cb rdtsc
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 0000000003BD5953 second address: 0000000003BD5953 instructions:

Tries to detect Any.run

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000000.00000002.583477988.0000000003C10000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000000.00000002.583477988.0000000003C10000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 0000000003BD9586 second address: 0000000003BD9586 instructions:
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 0000000003BDB185 second address: 0000000003BDB185 instructions:
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 0000000003BDA36A second address: 0000000003BDA381 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b xor edi, ED27E950h 0x00000011 pushad 0x00000012 mov eax, 000000C6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 0000000003BD62DB second address: 0000000003BD62DB instructions:
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 0000000003BDA3AE second address: 0000000003BDA247 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov dword ptr [ebp+000001A5h], edx 0x00000010 cmp cx, ax 0x00000013 mov edx, F94DAB62h 0x00000018 xor edx, BD1A4B48h 0x0000001e xor edx, C6B15F47h 0x00000024 jmp 00007F1B0CAFAC52h 0x00000026 cmp si, 0F1Bh 0x0000002b sub edx, 82E5DE6Eh 0x00000031 cmp ah, bh 0x00000033 cmp word ptr [ebx+05h], dx 0x00000037 mov edx, dword ptr [ebp+000001A5h] 0x0000003d jne 00007F1B0CAFAC2Ch 0x0000003f mov dword ptr [ebp+00000189h], ecx 0x00000045 mov ecx, CF26FC6Ch 0x0000004a xor ecx, 90037EF2h 0x00000050 test ax, dx 0x00000053 add ecx, B269DCB6h 0x00000059 cmp cl, al 0x0000005b add ecx, EE70C0ACh 0x00000061 nop 0x00000062 cmp dword ptr [ebp+00000189h], ecx 0x00000068 mov ecx, dword ptr [ebp+00000189h] 0x0000006e jne 00007F1B0CAFA884h 0x00000074 inc ecx 0x00000075 inc ebx 0x00000076 mov dword ptr [ebp+0000017Dh], ecx 0x0000007c mov ecx, 3E44CBEFh 0x00000081 xor ecx, B436F885h 0x00000087 add ecx, 0943E9D7h 0x0000008d xor ecx, 0326DE11h 0x00000093 test bl, FFFFFFE4h 0x00000096 cmp dword ptr [ebx], ecx 0x00000098 mov ecx, dword ptr [ebp+0000017Dh] 0x0000009e jne 00007F1B0CAFAC86h 0x000000a4 mov dword ptr [ebp+00000171h], edi 0x000000aa mov edi, dword ptr [ebx] 0x000000ac cmp edx, edi 0x000000ae mov edi, dword ptr [ebp+00000171h] 0x000000b4 jne 00007F1B0CAFAC08h 0x000000b6 mov dword ptr [ebp+0000022Eh], eax 0x000000bc test ax, cx 0x000000bf mov eax, 90506750h 0x000000c4 test bx, bx 0x000000c7 pushad 0x000000c8 lfence 0x000000cb rdtsc
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 0000000003BD5953 second address: 0000000003BD5953 instructions:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Code function: 0_2_03BD0F36 rdtsc

0_2_03BD0F36

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000000.00000002.583477988.0000000003C10000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000000.00000002.583477988.0000000003C10000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Process Stats: CPU usage > 90% for more than 60s

Hides threads from debuggers

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Thread information set: HideFromDebugger

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Process queried: DebugPort

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Code function: 0_2_03BD0F36 rdtsc

0_2_03BD0F36

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Code function: 0_2_03BD7601 LdrInitializeThunk,

0_2_03BD7601

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9D8D mov eax, dword ptr fs:[00000030h]	0_2_03BD9D8D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9D39 mov eax, dword ptr fs:[00000030h]	0_2_03BD9D39
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD8769 mov eax, dword ptr fs:[00000030h]	0_2_03BD8769
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD40DC mov eax, dword ptr fs:[00000030h]	0_2_03BD40DC
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD8E26 mov eax, dword ptr fs:[00000030h]	0_2_03BD8E26
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD347D mov eax, dword ptr fs:[00000030h]	0_2_03BD347D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD6245 mov eax, dword ptr fs:[00000030h]	0_2_03BD6245

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Process created: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe 'C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe'

Jump to behavior

Source: KHAWATMI CO.IMPORT & EXPORT.exe, 0000001F.00000002.725778106.0000000000FA0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 0000001F.00000002.725778106.0000000000FA0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 0000001F.00000002.725778106.0000000000FA0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 0000001F.00000002.725778106.0000000000FA0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Stealing of Sensitive Information:

GuLoader behavior detected

Source: Initial file

Signature Results: GuLoader behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://onedrive.live.com/download?cid=7B0580AA0B18AE	false		high

AV Detection:

Found malware configuration

Source: 00000000.00000002.583437179.0000000003BD0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?cid=7B0580AA0B18AE"}

Multi AV Scanner detection for submitted file

Source: KHAWATMI CO.IMPORT & EXPORT.exe

ReversingLabs: Detection: 13%

Compliance:

Uses 32bit PE files

Source: KHAWATMI CO.IMPORT & EXPORT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://onedrive.live.com/download?cid=7B0580AA0B18AE

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Code function: 0_2_004028B8 GetAsyncKeyState,

0_2_004028B8

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BDA932 NtWriteVirtualMemory,LoadLibraryA,NtProtectVirtualMemory,	0_2_03BDA932
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD611B NtWriteVirtualMemory,	0_2_03BD611B
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD66C6 NtAllocateVirtualMemory,	0_2_03BD66C6
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD57AF NtWriteVirtualMemory,	0_2_03BD57AF
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD6795 NtAllocateVirtualMemory,	0_2_03BD6795
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9D8D NtWriteVirtualMemory,	0_2_03BD9D8D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD6BFE NtWriteVirtualMemory,	0_2_03BD6BFE
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD4DF2 NtWriteVirtualMemory,	0_2_03BD4DF2
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD0BEC NtWriteVirtualMemory,	0_2_03BD0BEC
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD53E5 NtWriteVirtualMemory,	0_2_03BD53E5
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD45CD NtWriteVirtualMemory,	0_2_03BD45CD
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD51C1 NtWriteVirtualMemory,	0_2_03BD51C1
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD5B03 NtWriteVirtualMemory,	0_2_03BD5B03
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD4F79 NtWriteVirtualMemory,	0_2_03BD4F79
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD556D NtWriteVirtualMemory,	0_2_03BD556D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD5B65 NtWriteVirtualMemory,	0_2_03BD5B65
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD5681 NtWriteVirtualMemory,	0_2_03BD5681
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BDB4F9 NtWriteVirtualMemory,	0_2_03BDB4F9
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD26E7 NtWriteVirtualMemory,	0_2_03BD26E7
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD4CD1 NtWriteVirtualMemory,	0_2_03BD4CD1
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD58CD NtWriteVirtualMemory,	0_2_03BD58CD
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD52C9 NtWriteVirtualMemory,	0_2_03BD52C9
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD5A25 NtWriteVirtualMemory,	0_2_03BD5A25
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD347D NtWriteVirtualMemory,	0_2_03BD347D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD547B NtWriteVirtualMemory,	0_2_03BD547B
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD5072 NtWriteVirtualMemory,	0_2_03BD5072

Detected potential crypto function

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BDB3EA	0_2_03BDB3EA
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BDADC1	0_2_03BDADC1
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD0F36	0_2_03BD0F36
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BDA932	0_2_03BDA932
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD611B	0_2_03BD611B
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD0680	0_2_03BD0680
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD66C6	0_2_03BD66C6
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD97B7	0_2_03BD97B7
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD45B3	0_2_03BD45B3
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD57AF	0_2_03BD57AF
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD49AE	0_2_03BD49AE
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BDAFA5	0_2_03BDAFA5
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD17A1	0_2_03BD17A1
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9D8D	0_2_03BD9D8D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BDA18A	0_2_03BDA18A
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD6BFE	0_2_03BD6BFE
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD23F9	0_2_03BD23F9
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD35F9	0_2_03BD35F9
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD11F5	0_2_03BD11F5
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD4DF2	0_2_03BD4DF2
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9FF2	0_2_03BD9FF2
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD0BEC	0_2_03BD0BEC
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9FEC	0_2_03BD9FEC
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD53E5	0_2_03BD53E5
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD63E6	0_2_03BD63E6
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9FD4	0_2_03BD9FD4
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD07D1	0_2_03BD07D1
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD45CD	0_2_03BD45CD
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BDADCD	0_2_03BDADCD
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BDB1CF	0_2_03BDB1CF
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9FCE	0_2_03BD9FCE
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD51C1	0_2_03BD51C1
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9D39	0_2_03BD9D39
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9F3A	0_2_03BD9F3A
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD972D	0_2_03BD972D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9529	0_2_03BD9529
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BDAF29	0_2_03BDAF29
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD6D27	0_2_03BD6D27
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD311C	0_2_03BD311C
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD2B1E	0_2_03BD2B1E
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD131A	0_2_03BD131A
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD1107	0_2_03BD1107
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD5B03	0_2_03BD5B03
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD317D	0_2_03BD317D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD8F7D	0_2_03BD8F7D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD2F7E	0_2_03BD2F7E
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD4F79	0_2_03BD4F79
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD0F77	0_2_03BD0F77
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD556D	0_2_03BD556D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD0361	0_2_03BD0361
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD415D	0_2_03BD415D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD0F51	0_2_03BD0F51
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD3951	0_2_03BD3951
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD374E	0_2_03BD374E
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD1546	0_2_03BD1546
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BDAEBB	0_2_03BDAEBB
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BDB6B4	0_2_03BDB6B4
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BDB091	0_2_03BDB091
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD5681	0_2_03BD5681
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BDB4F9	0_2_03BDB4F9
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD08E5	0_2_03BD08E5
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD26E7	0_2_03BD26E7
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD94E6	0_2_03BD94E6
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD1EE2	0_2_03BD1EE2
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD40DC	0_2_03BD40DC
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD4CD1	0_2_03BD4CD1
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD34D3	0_2_03BD34D3
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD58CD	0_2_03BD58CD
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD52C9	0_2_03BD52C9
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD8C3C	0_2_03BD8C3C
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD303F	0_2_03BD303F
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BDB036	0_2_03BDB036
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD5A25	0_2_03BD5A25
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD3827	0_2_03BD3827
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD141F	0_2_03BD141F
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD6C1E	0_2_03BD6C1E
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD347D	0_2_03BD347D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD547B	0_2_03BD547B
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9E75	0_2_03BD9E75
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD5072	0_2_03BD5072
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD1665	0_2_03BD1665
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BDAE57	0_2_03BDAE57
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD964D	0_2_03BD964D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 31_2_0056415D	31_2_0056415D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 31_2_00564642	31_2_00564642
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 31_2_005649AE	31_2_005649AE

Sample file is different than original file name gathered from version info

Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000000.00000002.581529736.0000000000424000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameTolip.exe vs KHAWATMI CO.IMPORT & EXPORT.exe
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000000.00000002.582107830.0000000002120000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs KHAWATMI CO.IMPORT & EXPORT.exe
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 0000001F.00000000.580610712.0000000000424000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameTolip.exe vs KHAWATMI CO.IMPORT & EXPORT.exe
Source: KHAWATMI CO.IMPORT & EXPORT.exe	Binary or memory string: OriginalFilenameTolip.exe vs KHAWATMI CO.IMPORT & EXPORT.exe

Uses 32bit PE files

Source: KHAWATMI CO.IMPORT & EXPORT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/0@0/0

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

File created: C:\Users\user\AppData\Local\Temp\~DF07B0F7EB0D7FE374.TMP

Jump to behavior

Source: KHAWATMI CO.IMPORT & EXPORT.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

File read: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: KHAWATMI CO.IMPORT & EXPORT.exe

ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe 'C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe'
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process created: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe 'C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe'
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process created: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe 'C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe'	Jump to behavior

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4a04656d-52aa-49de-8a09-cb178760e748}\InProcServer32

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.583437179.0000000003BD0000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_00407A2B push esp; retf	0_2_00407A2C
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD636D push ebp; ret	0_2_03BD63AB
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD0005 push esi; iretd	0_2_03BD001D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD0062 push esi; iretd	0_2_03BD008F
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 31_2_00562A54 push ds; ret	31_2_00562A5E
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 31_2_0056374B push edi; ret	31_2_0056374D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 31_2_00561C76 push ds; ret	31_2_00561C8A
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 31_2_00562501 push ds; retf	31_2_0056252A
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 31_2_00563335 push ds; retf	31_2_00563356
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 31_2_00561F30 push ds; retf	31_2_00561F36
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 31_2_0056282F push ds; retf	31_2_005628CE
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 31_2_005608D7 push edx; iretd	31_2_005608D8
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 31_2_005610C8 push ds; retf	31_2_005610D6
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 31_2_005629FA push ds; retf	31_2_005629FE
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 31_2_0056289C push ds; retf	31_2_005628CE
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 31_2_0056379D push ds; retf	31_2_005637AA
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 31_2_00561984 push ds; ret	31_2_005619A6
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 31_2_005625BA push ds; ret	31_2_005625C6

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD0F36 TerminateProcess,LoadLibraryA,	0_2_03BD0F36
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9D8D NtWriteVirtualMemory,	0_2_03BD9D8D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BDA18A	0_2_03BDA18A
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD35F9	0_2_03BD35F9
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD11F5 TerminateProcess,	0_2_03BD11F5
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9FF2	0_2_03BD9FF2
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD0BEC NtWriteVirtualMemory,	0_2_03BD0BEC
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9FEC	0_2_03BD9FEC
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9FD4	0_2_03BD9FD4
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9FCE	0_2_03BD9FCE
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9D39	0_2_03BD9D39
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9F3A	0_2_03BD9F3A
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD2B1E	0_2_03BD2B1E
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD131A TerminateProcess,	0_2_03BD131A
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD1107 TerminateProcess,	0_2_03BD1107
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD8F7D	0_2_03BD8F7D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD0F77 TerminateProcess,	0_2_03BD0F77
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD0F51 TerminateProcess,	0_2_03BD0F51
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD374E	0_2_03BD374E
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD1546 TerminateProcess,	0_2_03BD1546
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD34D3	0_2_03BD34D3
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD3827	0_2_03BD3827
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD141F TerminateProcess,	0_2_03BD141F
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD347D NtWriteVirtualMemory,	0_2_03BD347D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9E75	0_2_03BD9E75

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 0000000003BD9586 second address: 0000000003BD9586 instructions:
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 0000000003BDB185 second address: 0000000003BDB185 instructions:
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 0000000003BD62DB second address: 0000000003BD62DB instructions:
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 0000000003BDA3AE second address: 0000000003BDA247 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov dword ptr [ebp+000001A5h], edx 0x00000010 cmp cx, ax 0x00000013 mov edx, F94DAB62h 0x00000018 xor edx, BD1A4B48h 0x0000001e xor edx, C6B15F47h 0x00000024 jmp 00007F1B0CAFAC52h 0x00000026 cmp si, 0F1Bh 0x0000002b sub edx, 82E5DE6Eh 0x00000031 cmp ah, bh 0x00000033 cmp word ptr [ebx+05h], dx 0x00000037 mov edx, dword ptr [ebp+000001A5h] 0x0000003d jne 00007F1B0CAFAC2Ch 0x0000003f mov dword ptr [ebp+00000189h], ecx 0x00000045 mov ecx, CF26FC6Ch 0x0000004a xor ecx, 90037EF2h 0x00000050 test ax, dx 0x00000053 add ecx, B269DCB6h 0x00000059 cmp cl, al 0x0000005b add ecx, EE70C0ACh 0x00000061 nop 0x00000062 cmp dword ptr [ebp+00000189h], ecx 0x00000068 mov ecx, dword ptr [ebp+00000189h] 0x0000006e jne 00007F1B0CAFA884h 0x00000074 inc ecx 0x00000075 inc ebx 0x00000076 mov dword ptr [ebp+0000017Dh], ecx 0x0000007c mov ecx, 3E44CBEFh 0x00000081 xor ecx, B436F885h 0x00000087 add ecx, 0943E9D7h 0x0000008d xor ecx, 0326DE11h 0x00000093 test bl, FFFFFFE4h 0x00000096 cmp dword ptr [ebx], ecx 0x00000098 mov ecx, dword ptr [ebp+0000017Dh] 0x0000009e jne 00007F1B0CAFAC86h 0x000000a4 mov dword ptr [ebp+00000171h], edi 0x000000aa mov edi, dword ptr [ebx] 0x000000ac cmp edx, edi 0x000000ae mov edi, dword ptr [ebp+00000171h] 0x000000b4 jne 00007F1B0CAFAC08h 0x000000b6 mov dword ptr [ebp+0000022Eh], eax 0x000000bc test ax, cx 0x000000bf mov eax, 90506750h 0x000000c4 test bx, bx 0x000000c7 pushad 0x000000c8 lfence 0x000000cb rdtsc
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 0000000003BD5953 second address: 0000000003BD5953 instructions:

Tries to detect Any.run

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000000.00000002.583477988.0000000003C10000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000000.00000002.583477988.0000000003C10000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 0000000003BD9586 second address: 0000000003BD9586 instructions:
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 0000000003BDB185 second address: 0000000003BDB185 instructions:
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 0000000003BDA36A second address: 0000000003BDA381 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b xor edi, ED27E950h 0x00000011 pushad 0x00000012 mov eax, 000000C6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 0000000003BD62DB second address: 0000000003BD62DB instructions:
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 0000000003BDA3AE second address: 0000000003BDA247 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov dword ptr [ebp+000001A5h], edx 0x00000010 cmp cx, ax 0x00000013 mov edx, F94DAB62h 0x00000018 xor edx, BD1A4B48h 0x0000001e xor edx, C6B15F47h 0x00000024 jmp 00007F1B0CAFAC52h 0x00000026 cmp si, 0F1Bh 0x0000002b sub edx, 82E5DE6Eh 0x00000031 cmp ah, bh 0x00000033 cmp word ptr [ebx+05h], dx 0x00000037 mov edx, dword ptr [ebp+000001A5h] 0x0000003d jne 00007F1B0CAFAC2Ch 0x0000003f mov dword ptr [ebp+00000189h], ecx 0x00000045 mov ecx, CF26FC6Ch 0x0000004a xor ecx, 90037EF2h 0x00000050 test ax, dx 0x00000053 add ecx, B269DCB6h 0x00000059 cmp cl, al 0x0000005b add ecx, EE70C0ACh 0x00000061 nop 0x00000062 cmp dword ptr [ebp+00000189h], ecx 0x00000068 mov ecx, dword ptr [ebp+00000189h] 0x0000006e jne 00007F1B0CAFA884h 0x00000074 inc ecx 0x00000075 inc ebx 0x00000076 mov dword ptr [ebp+0000017Dh], ecx 0x0000007c mov ecx, 3E44CBEFh 0x00000081 xor ecx, B436F885h 0x00000087 add ecx, 0943E9D7h 0x0000008d xor ecx, 0326DE11h 0x00000093 test bl, FFFFFFE4h 0x00000096 cmp dword ptr [ebx], ecx 0x00000098 mov ecx, dword ptr [ebp+0000017Dh] 0x0000009e jne 00007F1B0CAFAC86h 0x000000a4 mov dword ptr [ebp+00000171h], edi 0x000000aa mov edi, dword ptr [ebx] 0x000000ac cmp edx, edi 0x000000ae mov edi, dword ptr [ebp+00000171h] 0x000000b4 jne 00007F1B0CAFAC08h 0x000000b6 mov dword ptr [ebp+0000022Eh], eax 0x000000bc test ax, cx 0x000000bf mov eax, 90506750h 0x000000c4 test bx, bx 0x000000c7 pushad 0x000000c8 lfence 0x000000cb rdtsc
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	RDTSC instruction interceptor: First address: 0000000003BD5953 second address: 0000000003BD5953 instructions:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Code function: 0_2_03BD0F36 rdtsc

0_2_03BD0F36

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000000.00000002.583477988.0000000003C10000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000000.00000002.583477988.0000000003C10000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Process Stats: CPU usage > 90% for more than 60s

Hides threads from debuggers

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Thread information set: HideFromDebugger

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Process queried: DebugPort

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Code function: 0_2_03BD0F36 rdtsc

0_2_03BD0F36

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Code function: 0_2_03BD7601 LdrInitializeThunk,

0_2_03BD7601

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9D8D mov eax, dword ptr fs:[00000030h]	0_2_03BD9D8D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD9D39 mov eax, dword ptr fs:[00000030h]	0_2_03BD9D39
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD8769 mov eax, dword ptr fs:[00000030h]	0_2_03BD8769
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD40DC mov eax, dword ptr fs:[00000030h]	0_2_03BD40DC
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD8E26 mov eax, dword ptr fs:[00000030h]	0_2_03BD8E26
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD347D mov eax, dword ptr fs:[00000030h]	0_2_03BD347D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe	Code function: 0_2_03BD6245 mov eax, dword ptr fs:[00000030h]	0_2_03BD6245

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe

Process created: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe 'C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe'

Jump to behavior

Source: KHAWATMI CO.IMPORT & EXPORT.exe, 0000001F.00000002.725778106.0000000000FA0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 0000001F.00000002.725778106.0000000000FA0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 0000001F.00000002.725778106.0000000000FA0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 0000001F.00000002.725778106.0000000000FA0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Stealing of Sensitive Information:

GuLoader behavior detected

Source: Initial file

Signature Results: GuLoader behavior

ID:	458277
Product:	CloudBasic
Start time:	07:55:58
Start date:	03.08.2021
Sample:	KHAWATMI CO.IMPORT & EXPORT.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	0153ae8cf4b1f546721332b5cb3f973c
SHA1:	479858ef740172cb3791527a9c9d0da76eec3af4
SHA256:	97fee7e2c533d7ad3854cd92d9d2dbcddeb3b08e3e0cb14214b431d3970cda45
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Windows Analysis Report KHAWATMI CO.IMPORT & EXPORT.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted URLs