Loading ...

Play interactive tourEdit tour

Windows Analysis Report correction HAWB.exe

Overview

General Information

Sample Name:correction HAWB.exe
Analysis ID:1638
MD5:a4ef1695bddce6530a28e0d72ae7f8c4
SHA1:3905f0749e1c55ad4d8fb2a1969cf3f74bc0aeb4
SHA256:64939ef2abe9b397b1f99bb4ba00c7e49be75f14013647c8e0605fb5fdb3b14b
Infos:

Most interesting Screenshot:

Detection

GuLoader AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Potential malicious icon found
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
GuLoader behavior detected
Sigma detected: RegAsm connects to smtp port
Yara detected GuLoader
Hides threads from debuggers
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64native
  • correction HAWB.exe (PID: 9196 cmdline: 'C:\Users\user\Desktop\correction HAWB.exe' MD5: A4EF1695BDDCE6530A28E0D72AE7F8C4)
    • RegAsm.exe (PID: 5796 cmdline: 'C:\Users\user\Desktop\correction HAWB.exe' MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • conhost.exe (PID: 6740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • tKZVPq.exe (PID: 8428 cmdline: 'C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe' MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • conhost.exe (PID: 8140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • tKZVPq.exe (PID: 2424 cmdline: 'C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe' MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • conhost.exe (PID: 3520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "purchasing@cselegance.comCSE.868mail.cselegance.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.5777190809.000000001DC81000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000C.00000002.5777190809.000000001DC81000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.1536475707.0000000000770000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        Process Memory Space: RegAsm.exe PID: 5796JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: RegAsm.exe PID: 5796JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

            Sigma Overview

            Networking:

            barindex
            Sigma detected: RegAsm connects to smtp portShow sources
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 116.0.120.83, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 5796, Protocol: tcp, SourceIp: 192.168.11.20, SourceIsIpv6: false, SourcePort: 49766

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: correction HAWB.exe.9196.0.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "purchasing@cselegance.comCSE.868mail.cselegance.com"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: correction HAWB.exeVirustotal: Detection: 25%Perma Link
            Source: correction HAWB.exeReversingLabs: Detection: 24%
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_1CAAED10 CryptUnprotectData,12_2_1CAAED10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_1CAAF3A1 CryptUnprotectData,12_2_1CAAF3A1
            Source: correction HAWB.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: unknownHTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49759 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.185.97:443 -> 192.168.11.20:49760 version: TLS 1.2
            Source: Binary string: RegAsm.pdb source: tKZVPq.exe, tKZVPq.exe.12.dr
            Source: Binary string: RegAsm.pdb4 source: tKZVPq.exe, 0000001B.00000000.1834677005.0000000000202000.00000002.00020000.sdmp, tKZVPq.exe, 00000020.00000002.1919301977.0000000000F02000.00000002.00020000.sdmp, tKZVPq.exe.12.dr
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 4x nop then ret 0_2_004022AE
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 4x nop then ret 0_2_00403451
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 4x nop then ret 0_2_00403660
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 4x nop then ret 0_2_0040386A
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 4x nop then ret 0_2_00403A74
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 4x nop then ret 0_2_00403236
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 4x nop then ret 0_2_004034DC
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 4x nop then ret 0_2_004038EC
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 4x nop then ret 0_2_00403345
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 4x nop then ret 0_2_00403563
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 4x nop then ret 0_2_00403973
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 4x nop then ret 0_2_004035E1
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 4x nop then ret 0_2_004037ED
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 4x nop then ret 0_2_004039F7
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 4x nop then ret 0_2_004031AF

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.11.20:49766 -> 116.0.120.83:587
            Source: Joe Sandbox ViewASN Name: GTC-MY-PIP-ASGlobalTransitCommunications-MalaysiaMY GTC-MY-PIP-ASGlobalTransitCommunications-MalaysiaMY
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1oI6QtIwrNnN8NQRw9EUdqGJEy6K_yCrB HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/8h8uio1dqpn5ahgfavoi7o8vnkc5qp90/1634122275000/16524389560697724177/*/1oI6QtIwrNnN8NQRw9EUdqGJEy6K_yCrB?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-08-28-docs.googleusercontent.comConnection: Keep-Alive
            Source: global trafficTCP traffic: 192.168.11.20:49766 -> 116.0.120.83:587
            Source: global trafficTCP traffic: 192.168.11.20:49766 -> 116.0.120.83:587
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
            Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
            Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: RegAsm.exe, 0000000C.00000002.5779515273.000000001DD22000.00000004.00000001.sdmpString found in binary or memory: subdomain_match":["go","tv"]},{"applied_policy":"EdgeUA","domain":"video.zhihu.com"},{"applied_policy":"ChromeUA","domain":"la7.it"},{"applied_policy":"ChromeUA","domain":"ide.cs50.io"},{"applied_policy":"ChromeUA","domain":"moneygram.com"},{"applied_policy":"ChromeUA","domain":"blog.esuteru.com"},{"applied_policy":"ChromeUA","domain":"online.tivo.com","path_match":["/start"]},{"applied_policy":"ChromeUA","domain":"smallbusiness.yahoo.com","path_match":["/businessmaker"]},{"applied_policy":"ChromeUA","domain":"jeeready.amazon.in","path_match":["/home"]},{"applied_policy":"ChromeUA","domain":"abc.com"},{"applied_policy":"ChromeUA","domain":"mvsrec738.examly.io"},{"applied_policy":"ChromeUA","domain":"myslate.sixphrase.com"},{"applied_policy":"ChromeUA","domain":"search.norton.com","path_match":["/nsssOnboarding"]},{"applied_policy":"ChromeUA","domain":"checkdecide.com"},{"applied_policy":"ChromeUA","domain":"virtualvisitlogin.partners.org"},{"applied_policy":"ChromeUA","domain":"carelogin.bryantelemedicine.com"},{"applied_policy":"ChromeUA","domain":"providerstc.hs.utah.gov"},{"applied_policy":"ChromeUA","domain":"applychildcaresubsidy.alberta.ca"},{"applied_policy":"ChromeUA","domain":"elearning.evn.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"telecare.keckmedicine.org"},{"applied_policy":"ChromeUA","domain":"authoring.amirsys.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"elearning.seabank.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"app.fields.corteva.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"gsq.minornet.com"},{"applied_policy":"ChromeUA","domain":"shop.lic.co.nz"},{"applied_policy":"ChromeUA","domain":"telehealthportal.uofuhealth.org"},{"applied_policy":"ChromeUA","domain":"portal.centurylink.com"},{"applied_policy":"ChromeUA","domain":"visitnow.org"},{"applied_policy":"ChromeUA","domain":"www.hotstar.com","path_match":["/in/subscribe/payment/methods/dc","/in/subscribe/payment/methods/cc"]},{"applied_policy":"ChromeUA","domain":"tryca.st","path_match":["/studio","/publisher"]},{"applied_policy":"ChromeUA","domain":"telemost.yandex.ru"},{"applied_policy":"ChromeUA","domain":"astrogo.astro.com.my"},{"applied_policy":"ChromeUA","domain":"airbornemedia.gogoinflight.com"},{"applied_policy":"ChromeUA","domain":"itoaxaca.mindbox.app"},{"applied_policy":"ChromeUA","domain":"app.classkick.com"},{"applied_policy":"ChromeUA","domain":"exchangeservicecenter.com","path_match":["/freeze"]},{"applied_policy":"ChromeUA","domain":"bancodeoccidente.com.co","path_match":["/portaltransaccional"]},{"applied_policy":"ChromeUA","domain":"better.com"},{"applied_policy":"IEUA","domain":"bm.gzekao.cn","path_match":["/tr/webregister/"]},{"applied_policy":"ChromeUA","domain":"scheduling.care.psjhealth.org","path_match":["/virtual"]},{"applied_policy":"ChromeUA","domain":"salud.go.cr"},{"applied_policy":"ChromeUA","domain":"learning.chungdahm.com"},{"applied_policy":"C
            Source: RegAsm.exe, 0000000C.00000002.5777190809.000000001DC81000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
            Source: RegAsm.exe, 0000000C.00000002.5777190809.000000001DC81000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
            Source: RegAsm.exe, 0000000C.00000002.5777190809.000000001DC81000.00000004.00000001.sdmpString found in binary or memory: http://JgQKqy.com
            Source: RegAsm.exe, 0000000C.00000003.1513881162.0000000000E42000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: RegAsm.exe, 0000000C.00000003.1513881162.0000000000E42000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: RegAsm.exe, 0000000C.00000002.5780921850.000000001DD9E000.00000004.00000001.sdmpString found in binary or memory: http://cselegance.com
            Source: RegAsm.exe, 0000000C.00000002.5780921850.000000001DD9E000.00000004.00000001.sdmpString found in binary or memory: http://mail.cselegance.com
            Source: RegAsm.exe, 0000000C.00000003.1509438325.0000000000E48000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
            Source: RegAsm.exe, 0000000C.00000002.5752371234.0000000000E01000.00000004.00000020.sdmpString found in binary or memory: https://doc-08-28-docs.googleusercontent.com/2
            Source: RegAsm.exe, 0000000C.00000002.5752371234.0000000000E01000.00000004.00000020.sdmpString found in binary or memory: https://doc-08-28-docs.googleusercontent.com/d
            Source: RegAsm.exe, 0000000C.00000003.1513881162.0000000000E42000.00000004.00000001.sdmpString found in binary or memory: https://doc-08-28-docs.googleusercontent.com/doc
            Source: RegAsm.exe, 0000000C.00000003.1509950713.0000000000E42000.00000004.00000001.sdmpString found in binary or memory: https://doc-08-28-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/8h8uio1d
            Source: RegAsm.exe, 0000000C.00000002.5750988193.0000000000DB8000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/
            Source: RegAsm.exe, 0000000C.00000002.5757771183.0000000000FA0000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1oI6QtIwrNnN8NQRw9EUdqGJEy6K_yCrB
            Source: RegAsm.exe, 0000000C.00000003.1509950713.0000000000E42000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1oI6QtIwrNnN8NQRw9EUdqGJEy6K_yCrBrhdQEDTFybmuMMIWI
            Source: RegAsm.exe, 0000000C.00000002.5777190809.000000001DC81000.00000004.00000001.sdmp, RegAsm.exe, 0000000C.00000002.5778351743.000000001DCD1000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/
            Source: RegAsm.exe, 0000000C.00000002.5777190809.000000001DC81000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com//
            Source: RegAsm.exe, 0000000C.00000002.5777190809.000000001DC81000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/https://login.live.com/
            Source: RegAsm.exe, 0000000C.00000002.5777190809.000000001DC81000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/v104
            Source: RegAsm.exe, 0000000C.00000002.5778351743.000000001DCD1000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
            Source: RegAsm.exe, 0000000C.00000002.5777190809.000000001DC81000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
            Source: RegAsm.exe, 0000000C.00000002.5779515273.000000001DD22000.00000004.00000001.sdmp, RegAsm.exe, 0000000C.00000003.2451512819.000000001C871000.00000004.00000001.sdmpString found in binary or memory: https://xgdZXmEGQW.org
            Source: RegAsm.exe, 0000000C.00000002.5779515273.000000001DD22000.00000004.00000001.sdmpString found in binary or memory: https://xgdZXmEGQW.org(6
            Source: RegAsm.exe, 0000000C.00000002.5779515273.000000001DD22000.00000004.00000001.sdmpString found in binary or memory: https://xgdZXmEGQW.orgt-~l
            Source: unknownDNS traffic detected: queries for: drive.google.com
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1oI6QtIwrNnN8NQRw9EUdqGJEy6K_yCrB HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/8h8uio1dqpn5ahgfavoi7o8vnkc5qp90/1634122275000/16524389560697724177/*/1oI6QtIwrNnN8NQRw9EUdqGJEy6K_yCrB?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-08-28-docs.googleusercontent.comConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49759 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.185.97:443 -> 192.168.11.20:49760 version: TLS 1.2

            Spam, unwanted Advertisements and Ransom Demands:

            barindex
            Modifies the hosts fileShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

            System Summary:

            barindex
            Potential malicious icon foundShow sources
            Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
            Source: correction HAWB.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 0_2_004018680_2_00401868
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 0_2_004022AE0_2_004022AE
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 0_2_004032360_2_00403236
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 0_2_004033450_2_00403345
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 0_2_004031AF0_2_004031AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0092113012_2_00921130
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00923A5012_2_00923A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0092C27812_2_0092C278
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0092432012_2_00924320
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00929DD012_2_00929DD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0092CFD812_2_0092CFD8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0092370812_2_00923708
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_1C9ECDF812_2_1C9ECDF8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_1C9EC9A012_2_1C9EC9A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_1C9EE2E412_2_1C9EE2E4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_1C9EFC1812_2_1C9EFC18
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_1C9E9DB812_2_1C9E9DB8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_1C9E585C12_2_1C9E585C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_1C9E587812_2_1C9E5878
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_1C9E333012_2_1C9E3330
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_1CAA40B812_2_1CAA40B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_1CAAB9B012_2_1CAAB9B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_1CAA710612_2_1CAA7106
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_1CAA6E9012_2_1CAA6E90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_1CAAC42812_2_1CAAC428
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_1CAAC3BC12_2_1CAAC3BC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_1DB25E0812_2_1DB25E08
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_1DB24ACC12_2_1DB24ACC
            Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 27_2_00203DFE27_2_00203DFE
            Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 32_2_00F03DFE32_2_00F03DFE
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: String function: 0040177E appears 94 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess Stats: CPU usage > 98%
            Source: correction HAWB.exe, 00000000.00000000.685827454.000000000041D000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameThievesb9.exe vs correction HAWB.exe
            Source: correction HAWB.exe, 00000000.00000002.1537717282.00000000023F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameThievesb9.exeFE2X, vs correction HAWB.exe
            Source: correction HAWB.exeBinary or memory string: OriginalFilenameThievesb9.exe vs correction HAWB.exe
            Source: correction HAWB.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: C:\Users\user\Desktop\correction HAWB.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeSection loaded: edgegdi.dllJump to behavior
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe C066AEE7AA3AA83F763EBC5541DAA266ED6C648FBFFCDE0D836A13B221BB2ADC
            Source: correction HAWB.exeVirustotal: Detection: 25%
            Source: correction HAWB.exeReversingLabs: Detection: 24%
            Source: correction HAWB.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\correction HAWB.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\correction HAWB.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\correction HAWB.exe 'C:\Users\user\Desktop\correction HAWB.exe'
            Source: C:\Users\user\Desktop\correction HAWB.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\correction HAWB.exe'
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe 'C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe'
            Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe 'C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe'
            Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\correction HAWB.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\correction HAWB.exe' Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\tKZVPqJump to behavior
            Source: classification engineClassification label: mal100.rans.spre.troj.adwa.spyw.evad.winEXE@8/6@3/3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6740:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8140:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3520:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8140:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6740:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3520:304:WilStaging_02
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: Binary string: RegAsm.pdb source: tKZVPq.exe, tKZVPq.exe.12.dr
            Source: Binary string: RegAsm.pdb4 source: tKZVPq.exe, 0000001B.00000000.1834677005.0000000000202000.00000002.00020000.sdmp, tKZVPq.exe, 00000020.00000002.1919301977.0000000000F02000.00000002.00020000.sdmp, tKZVPq.exe.12.dr

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000000.00000002.1536475707.0000000000770000.00000040.00000001.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 0_2_00406072 push ecx; iretd 0_2_00406076
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 0_2_00403CCE push ecx; iretd 0_2_00403CDD
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 0_2_00407AEA push edi; iretd 0_2_00407AEE
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 0_2_00405356 pushad ; ret 0_2_00405360
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 0_2_00406D22 pushad ; ret 0_2_00406D28
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 0_2_004055DD push ebx; iretd 0_2_00405607
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 0_2_00407D89 push ebp; retf 0_2_00407D8A
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 0_2_00404F95 pushad ; ret 0_2_00404F98
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 0_2_00407DB2 push edi; iretd 0_2_00407DB3
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 0_2_00770E66 push edx; ret 0_2_00770E67
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 0_2_00771861 push eax; iretd 0_2_0077186F
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 0_2_00770E5D push ss; iretd 0_2_00770E63
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 0_2_00770890 push eax; retf 0_2_00770896
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 0_2_0077349A push FFFFFF81h; retf 0_2_0077349C
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 0_2_00771570 push eax; iretd 0_2_0077157C
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 0_2_00773F2C push 330F7533h; ret 0_2_00773F32
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 0_2_00772D28 push esp; ret 0_2_00772D29
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_1C9E2177 push edi; retn 0000h12_2_1C9E2179
            Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 27_2_002044A3 push es; retf 27_2_002044A4
            Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 27_2_00204469 push cs; retf 27_2_0020449E
            Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 27_2_00204289 push es; retf 27_2_00204294
            Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 32_2_00F044A3 push es; retf 32_2_00F044A4
            Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 32_2_00F04469 push cs; retf 32_2_00F0449E
            Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 32_2_00F04289 push es; retf 32_2_00F04294
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tKZVPqJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tKZVPqJump to behavior

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Users\user\Desktop\correction HAWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\correction HAWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\correction HAWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\correction HAWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\correction HAWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\correction HAWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\correction HAWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\correction HAWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\correction HAWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\correction HAWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX