Source: 00000000.00000002.818731947.00000000020D0000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&M-"} |
Source: correction HAWB.exe |
Virustotal: Detection: 25% |
Perma Link |
Source: correction HAWB.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 4x nop then ret |
0_2_004022AE |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 4x nop then ret |
0_2_00403451 |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 4x nop then ret |
0_2_00403660 |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 4x nop then ret |
0_2_0040386A |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 4x nop then ret |
0_2_00403A74 |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 4x nop then ret |
0_2_00403236 |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 4x nop then ret |
0_2_004034DC |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 4x nop then ret |
0_2_004036E9 |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 4x nop then ret |
0_2_004038EC |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 4x nop then ret |
0_2_00403345 |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 4x nop then ret |
0_2_00403563 |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 4x nop then ret |
0_2_00403973 |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 4x nop then ret |
0_2_004035E1 |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 4x nop then ret |
0_2_004037ED |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 4x nop then ret |
0_2_004039F7 |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 4x nop then ret |
0_2_004031AF |
Source: Malware configuration extractor |
URLs: https://drive.google.com/uc?export=download&M- |
Source: initial sample |
Icon embedded in PE file: bad icon match: 20047c7c70f0e004 |
Source: correction HAWB.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: correction HAWB.exe, 00000000.00000000.289960859.000000000041D000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameThievesb9.exe vs correction HAWB.exe |
Source: correction HAWB.exe, 00000000.00000002.818954308.00000000029C0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameThievesb9.exeFE2X, vs correction HAWB.exe |
Source: correction HAWB.exe |
Binary or memory string: OriginalFilenameThievesb9.exe vs correction HAWB.exe |
Source: correction HAWB.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 0_2_00401868 |
0_2_00401868 |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 0_2_004022AE |
0_2_004022AE |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 0_2_00403236 |
0_2_00403236 |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 0_2_00403345 |
0_2_00403345 |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 0_2_004031AF |
0_2_004031AF |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 0_2_020D838A |
0_2_020D838A |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: String function: 0040177E appears 94 times |
|
Source: C:\Users\user\Desktop\correction HAWB.exe |
Process Stats: CPU usage > 98% |
Source: correction HAWB.exe |
Virustotal: Detection: 25% |
Source: correction HAWB.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: classification engine |
Classification label: mal80.rans.troj.evad.winEXE@1/0@0/0 |
Source: Yara match |
File source: 00000000.00000002.818731947.00000000020D0000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 0_2_00406072 push ecx; iretd |
0_2_00406076 |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 0_2_00403CCE push ecx; iretd |
0_2_00403CDD |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 0_2_00407AEA push edi; iretd |
0_2_00407AEE |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 0_2_00405356 pushad ; ret |
0_2_00405360 |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 0_2_00406D22 pushad ; ret |
0_2_00406D28 |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 0_2_004055DD push ebx; iretd |
0_2_00405607 |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 0_2_00407D89 push ebp; retf |
0_2_00407D8A |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 0_2_00404F95 pushad ; ret |
0_2_00404F98 |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 0_2_00407DB2 push edi; iretd |
0_2_00407DB3 |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 0_2_020D2B14 push FFFFFFC1h; ret |
0_2_020D2B16 |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 0_2_020D095A push ds; retf |
0_2_020D095B |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 0_2_020D1F85 pushad ; iretd |
0_2_020D1FC2 |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 0_2_020D7C64 rdtsc |
0_2_020D7C64 |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 0_2_004022AE mov ebx, dword ptr fs:[00000030h] |
0_2_004022AE |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 0_2_00403236 mov ebx, dword ptr fs:[00000030h] |
0_2_00403236 |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 0_2_004031AF mov ebx, dword ptr fs:[00000030h] |
0_2_004031AF |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 0_2_020D7824 mov eax, dword ptr fs:[00000030h] |
0_2_020D7824 |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 0_2_020DA13C mov eax, dword ptr fs:[00000030h] |
0_2_020DA13C |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 0_2_020D9B4B mov eax, dword ptr fs:[00000030h] |
0_2_020D9B4B |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\correction HAWB.exe |
Code function: 0_2_020D7C64 rdtsc |
0_2_020D7C64 |
Source: correction HAWB.exe, 00000000.00000002.818357395.0000000000C50000.00000002.00020000.sdmp |
Binary or memory string: Program Manager |
Source: correction HAWB.exe, 00000000.00000002.818357395.0000000000C50000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: correction HAWB.exe, 00000000.00000002.818357395.0000000000C50000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: correction HAWB.exe, 00000000.00000002.818357395.0000000000C50000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |