Loading ...

Play interactive tourEdit tour

Windows Analysis Report DOC 13102021.exe

Overview

General Information

Sample Name:DOC 13102021.exe
Analysis ID:1647
MD5:31851bac3685c5641fc16e256c94c4a8
SHA1:31fea2ceaeb535863d46ec5260385649c34c0fa0
SHA256:e1940206b5e3300e88b817953a62d90a2e69b738df549dc5da993409a6487ae1
Infos:

Most interesting Screenshot:

Detection

GuLoader AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Potential malicious icon found
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
GuLoader behavior detected
Sigma detected: RegAsm connects to smtp port
Yara detected GuLoader
Hides threads from debuggers
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64native
  • DOC 13102021.exe (PID: 8804 cmdline: 'C:\Users\user\Desktop\DOC 13102021.exe' MD5: 31851BAC3685C5641FC16E256C94C4A8)
    • RegAsm.exe (PID: 2588 cmdline: 'C:\Users\user\Desktop\DOC 13102021.exe' MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • conhost.exe (PID: 2604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • tKZVPq.exe (PID: 7824 cmdline: 'C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe' MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • conhost.exe (PID: 7176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "sales@binaryinfotech.comabc123#@!mail.binaryinfotech.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1441695522.0000000002200000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000019.00000002.5658064562.000000001DB31000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000019.00000002.5658064562.000000001DB31000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: RegAsm.exe PID: 2588JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: RegAsm.exe PID: 2588JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

            Sigma Overview

            Networking:

            barindex
            Sigma detected: RegAsm connects to smtp portShow sources
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 132.148.164.170, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 2588, Protocol: tcp, SourceIp: 192.168.11.20, SourceIsIpv6: false, SourcePort: 49766

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: RegAsm.exe.2588.25.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "sales@binaryinfotech.comabc123#@!mail.binaryinfotech.com"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: DOC 13102021.exeVirustotal: Detection: 30%Perma Link
            Source: DOC 13102021.exeReversingLabs: Detection: 25%
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_00DAF540 CryptUnprotectData,25_2_00DAF540
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_00DAFC31 CryptUnprotectData,25_2_00DAFC31
            Source: DOC 13102021.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: unknownHTTPS traffic detected: 216.58.212.174:443 -> 192.168.11.20:49761 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.184.193:443 -> 192.168.11.20:49762 version: TLS 1.2
            Source: Binary string: RegAsm.pdb source: RegAsm.exe, 00000019.00000003.2355199055.0000000020B21000.00000004.00000010.sdmp, tKZVPq.exe, tKZVPq.exe.25.dr
            Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000019.00000003.2355199055.0000000020B21000.00000004.00000010.sdmp, tKZVPq.exe, 00000029.00000000.1718608698.0000000000F72000.00000002.00020000.sdmp, tKZVPq.exe.25.dr
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 4x nop then mov ebx, ebx0_2_004022D6
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 4x nop then mov ebx, ebx0_2_00403455
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 4x nop then mov ebx, ebx0_2_0040323D
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 4x nop then mov ebx, ebx0_2_004034E9
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 4x nop then mov ebx, ebx0_2_004032BE
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 4x nop then mov ebx, ebx0_2_0040334C
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 4x nop then mov ebx, ebx0_2_0040356C
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 4x nop then mov ebx, ebx0_2_004033D5
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 4x nop then mov ebx, ebx0_2_004031DE
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 4x nop then mov ebx, ebx0_2_004035EB

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.11.20:49766 -> 132.148.164.170:587
            Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1C8oenb3NC7djnCvQzvUetP49sAKvj9vX HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/vr17dakf7s0cou2qripnjj0rpkilfov4/1634137800000/16524389560697724177/*/1C8oenb3NC7djnCvQzvUetP49sAKvj9vX?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-28-docs.googleusercontent.comConnection: Keep-Alive
            Source: global trafficTCP traffic: 192.168.11.20:49766 -> 132.148.164.170:587
            Source: global trafficTCP traffic: 192.168.11.20:49766 -> 132.148.164.170:587
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
            Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: RegAsm.exe, 00000019.00000002.5659697013.000000001DBED000.00000004.00000001.sdmpString found in binary or memory: subdomain_match":["go","tv"]},{"applied_policy":"EdgeUA","domain":"video.zhihu.com"},{"applied_policy":"ChromeUA","domain":"la7.it"},{"applied_policy":"ChromeUA","domain":"ide.cs50.io"},{"applied_policy":"ChromeUA","domain":"moneygram.com"},{"applied_policy":"ChromeUA","domain":"blog.esuteru.com"},{"applied_policy":"ChromeUA","domain":"online.tivo.com","path_match":["/start"]},{"applied_policy":"ChromeUA","domain":"smallbusiness.yahoo.com","path_match":["/businessmaker"]},{"applied_policy":"ChromeUA","domain":"jeeready.amazon.in","path_match":["/home"]},{"applied_policy":"ChromeUA","domain":"abc.com"},{"applied_policy":"ChromeUA","domain":"mvsrec738.examly.io"},{"applied_policy":"ChromeUA","domain":"myslate.sixphrase.com"},{"applied_policy":"ChromeUA","domain":"search.norton.com","path_match":["/nsssOnboarding"]},{"applied_policy":"ChromeUA","domain":"checkdecide.com"},{"applied_policy":"ChromeUA","domain":"virtualvisitlogin.partners.org"},{"applied_policy":"ChromeUA","domain":"carelogin.bryantelemedicine.com"},{"applied_policy":"ChromeUA","domain":"providerstc.hs.utah.gov"},{"applied_policy":"ChromeUA","domain":"applychildcaresubsidy.alberta.ca"},{"applied_policy":"ChromeUA","domain":"elearning.evn.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"telecare.keckmedicine.org"},{"applied_policy":"ChromeUA","domain":"authoring.amirsys.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"elearning.seabank.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"app.fields.corteva.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"gsq.minornet.com"},{"applied_policy":"ChromeUA","domain":"shop.lic.co.nz"},{"applied_policy":"ChromeUA","domain":"telehealthportal.uofuhealth.org"},{"applied_policy":"ChromeUA","domain":"portal.centurylink.com"},{"applied_policy":"ChromeUA","domain":"visitnow.org"},{"applied_policy":"ChromeUA","domain":"www.hotstar.com","path_match":["/in/subscribe/payment/methods/dc","/in/subscribe/payment/methods/cc"]},{"applied_policy":"ChromeUA","domain":"tryca.st","path_match":["/studio","/publisher"]},{"applied_policy":"ChromeUA","domain":"telemost.yandex.ru"},{"applied_policy":"ChromeUA","domain":"astrogo.astro.com.my"},{"applied_policy":"ChromeUA","domain":"airbornemedia.gogoinflight.com"},{"applied_policy":"ChromeUA","domain":"itoaxaca.mindbox.app"},{"applied_policy":"ChromeUA","domain":"app.classkick.com"},{"applied_policy":"ChromeUA","domain":"exchangeservicecenter.com","path_match":["/freeze"]},{"applied_policy":"ChromeUA","domain":"bancodeoccidente.com.co","path_match":["/portaltransaccional"]},{"applied_policy":"ChromeUA","domain":"better.com"},{"applied_policy":"IEUA","domain":"bm.gzekao.cn","path_match":["/tr/webregister/"]},{"applied_policy":"ChromeUA","domain":"scheduling.care.psjhealth.org","path_match":["/virtual"]},{"applied_policy":"ChromeUA","domain":"salud.go.cr"},{"applied_policy":"ChromeUA","domain":"learning.chungdahm.com"},{"applied_policy":"C
            Source: RegAsm.exe, 00000019.00000002.5658064562.000000001DB31000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
            Source: RegAsm.exe, 00000019.00000002.5658064562.000000001DB31000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
            Source: RegAsm.exe, 00000019.00000002.5660376539.000000001DC4E000.00000004.00000001.sdmpString found in binary or memory: http://binaryinfotech.com
            Source: RegAsm.exe, 00000019.00000002.5642799670.0000000000FA7000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: RegAsm.exe, 00000019.00000002.5642799670.0000000000FA7000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: RegAsm.exe, 00000019.00000002.5660376539.000000001DC4E000.00000004.00000001.sdmpString found in binary or memory: http://mail.binaryinfotech.com
            Source: RegAsm.exe, 00000019.00000002.5658064562.000000001DB31000.00000004.00000001.sdmpString found in binary or memory: http://nQcaIX.com
            Source: RegAsm.exe, 00000019.00000003.1413747869.0000000000FB4000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
            Source: RegAsm.exe, 00000019.00000003.1413747869.0000000000FB4000.00000004.00000001.sdmpString found in binary or memory: https://doc-0c-28-docs.googleusercontent.com/
            Source: RegAsm.exe, 00000019.00000003.1413747869.0000000000FB4000.00000004.00000001.sdmpString found in binary or memory: https://doc-0c-28-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/vr17dakf
            Source: RegAsm.exe, 00000019.00000002.5640301133.0000000000F28000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/
            Source: RegAsm.exe, 00000019.00000002.5640301133.0000000000F28000.00000004.00000020.sdmp, RegAsm.exe, 00000019.00000003.1413747869.0000000000FB4000.00000004.00000001.sdmp, RegAsm.exe, 00000019.00000002.5636629483.0000000000D00000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1C8oenb3NC7djnCvQzvUetP49sAKvj9vX
            Source: RegAsm.exe, 00000019.00000003.1413747869.0000000000FB4000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1C8oenb3NC7djnCvQzvUetP49sAKvj9vX_WmtySzXDjqnzS380
            Source: RegAsm.exe, 00000019.00000002.5659697013.000000001DBED000.00000004.00000001.sdmp, RegAsm.exe, 00000019.00000002.5660466574.000000001DC5C000.00000004.00000001.sdmp, RegAsm.exe, 00000019.00000003.2361567201.000000001C8C1000.00000004.00000001.sdmpString found in binary or memory: https://iMTj3lrhN3y57FrL8VE.com
            Source: RegAsm.exe, 00000019.00000002.5659697013.000000001DBED000.00000004.00000001.sdmpString found in binary or memory: https://iMTj3lrhN3y57FrL8VE.comt-
            Source: RegAsm.exe, 00000019.00000002.5658813337.000000001DB81000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/
            Source: RegAsm.exe, 00000019.00000002.5658064562.000000001DB31000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com//
            Source: RegAsm.exe, 00000019.00000002.5658064562.000000001DB31000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/https://login.live.com/
            Source: RegAsm.exe, 00000019.00000002.5658064562.000000001DB31000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/v104
            Source: RegAsm.exe, 00000019.00000002.5658813337.000000001DB81000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
            Source: RegAsm.exe, 00000019.00000002.5658064562.000000001DB31000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
            Source: unknownDNS traffic detected: queries for: drive.google.com
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1C8oenb3NC7djnCvQzvUetP49sAKvj9vX HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/vr17dakf7s0cou2qripnjj0rpkilfov4/1634137800000/16524389560697724177/*/1C8oenb3NC7djnCvQzvUetP49sAKvj9vX?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-28-docs.googleusercontent.comConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 216.58.212.174:443 -> 192.168.11.20:49761 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.184.193:443 -> 192.168.11.20:49762 version: TLS 1.2

            Spam, unwanted Advertisements and Ransom Demands:

            barindex
            Modifies the hosts fileShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

            System Summary:

            barindex
            Potential malicious icon foundShow sources
            Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
            Source: DOC 13102021.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 0_2_004018680_2_00401868
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 0_2_004022D60_2_004022D6
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 0_2_004034550_2_00403455
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 0_2_0040323D0_2_0040323D
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 0_2_004034E90_2_004034E9
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 0_2_004032BE0_2_004032BE
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 0_2_0040334C0_2_0040334C
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 0_2_0040356C0_2_0040356C
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 0_2_004033D50_2_004033D5
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 0_2_004031DE0_2_004031DE
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 0_2_004035EB0_2_004035EB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_00A4C89825_2_00A4C898
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_00A4C26225_2_00A4C262
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_00A43A5025_2_00A43A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_00A4432025_2_00A44320
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_00A4112025_2_00A41120
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_00A4370825_2_00A43708
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_00D26B0825_2_00D26B08
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_00D215B825_2_00D215B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_00DA08DE25_2_00DA08DE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_00DA644025_2_00DA6440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_00DA5D5825_2_00DA5D58
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_00DA12D025_2_00DA12D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_00DAC24825_2_00DAC248
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_00DA0F9E25_2_00DA0F9E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_00DA771825_2_00DA7718
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_00DA0CB425_2_00DA0CB4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_00DBDC3D25_2_00DBDC3D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_00DBB21625_2_00DBB216
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_00DBECD825_2_00DBECD8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_00DBF0C025_2_00DBF0C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_00DBF07825_2_00DBF078
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_00DB8C7025_2_00DB8C70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_00DB581825_2_00DB5818
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_00DBEBFC25_2_00DBEBFC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_00DB57B825_2_00DB57B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_00DB333025_2_00DB3330
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_00F1419025_2_00F14190
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_00F167A825_2_00F167A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_00F1004025_2_00F10040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_00F103E025_2_00F103E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_00F1559025_2_00F15590
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_1D9E5E0825_2_1D9E5E08
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_1D9E4ACC25_2_1D9E4ACC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_1D9E5DC125_2_1D9E5DC1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_1D9E6AF125_2_1D9E6AF1
            Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 41_2_00F73DFE41_2_00F73DFE
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: String function: 0040177E appears 94 times
            Source: C:\Users\user\Desktop\DOC 13102021.exeProcess Stats: CPU usage > 98%
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess Stats: CPU usage > 98%
            Source: DOC 13102021.exe, 00000000.00000000.570422254.000000000041D000.00000002.00020000.sdmpBinary or memory string: OriginalFilenametombo.exe vs DOC 13102021.exe
            Source: DOC 13102021.exe, 00000000.00000002.1442222105.0000000002B20000.00000004.00000001.sdmpBinary or memory string: OriginalFilenametombo.exeFE2X vs DOC 13102021.exe
            Source: DOC 13102021.exeBinary or memory string: OriginalFilenametombo.exe vs DOC 13102021.exe
            Source: DOC 13102021.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: C:\Users\user\Desktop\DOC 13102021.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeSection loaded: edgegdi.dllJump to behavior
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe C066AEE7AA3AA83F763EBC5541DAA266ED6C648FBFFCDE0D836A13B221BB2ADC
            Source: DOC 13102021.exeVirustotal: Detection: 30%
            Source: DOC 13102021.exeReversingLabs: Detection: 25%
            Source: DOC 13102021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\DOC 13102021.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\DOC 13102021.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\DOC 13102021.exe 'C:\Users\user\Desktop\DOC 13102021.exe'
            Source: C:\Users\user\Desktop\DOC 13102021.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\DOC 13102021.exe'
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe 'C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe'
            Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\DOC 13102021.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\DOC 13102021.exe' Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\tKZVPqJump to behavior
            Source: classification engineClassification label: mal100.rans.spre.troj.adwa.spyw.evad.winEXE@6/5@3/3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7176:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7176:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2604:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2604:304:WilStaging_02
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: Binary string: RegAsm.pdb source: RegAsm.exe, 00000019.00000003.2355199055.0000000020B21000.00000004.00000010.sdmp, tKZVPq.exe, tKZVPq.exe.25.dr
            Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000019.00000003.2355199055.0000000020B21000.00000004.00000010.sdmp, tKZVPq.exe, 00000029.00000000.1718608698.0000000000F72000.00000002.00020000.sdmp, tKZVPq.exe.25.dr

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000000.00000002.1441695522.0000000002200000.00000040.00000001.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 0_2_00401868 push ds; retf 9800h0_2_00401FBF
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 0_2_0040727E push cs; iretd 0_2_0040727F
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 0_2_004040ED push 00000046h; ret 0_2_004040F1
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 0_2_00406AA9 push ecx; iretd 0_2_00406AAA
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 0_2_004070AC pushad ; retf 0_2_004070AD
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 0_2_02204A2A push 00000000h; ret 0_2_02204A2C
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 0_2_02202C33 push ss; retf 0_2_02202C34
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 0_2_02203862 push ecx; ret 0_2_02203883
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 0_2_02201C8D push esi; ret 0_2_02201CAA
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 0_2_022050EE push edx; retf 0_2_022050F4
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 0_2_02203F12 push es; ret 0_2_02203F14
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 0_2_0220431D pushad ; iretd 0_2_02204394
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 0_2_0220436B pushad ; iretd 0_2_02204394
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 0_2_02204798 push ebp; retf 0_2_022047A2
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 0_2_02202BE7 push esi; iretd 0_2_02202C09
            Source: C:\Users\user\Desktop\DOC 13102021.exeCode function: 0_2_022047F5 push ebx; ret 0_2_02204808
            Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 41_2_00F744A3 push es; retf 41_2_00F744A4
            Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 41_2_00F74469 push cs; retf 41_2_00F7449E
            Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 41_2_00F74289 push es; retf 41_2_00F74294
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tKZVPqJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tKZVPqJump to behavior

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Users\user\Desktop\DOC 13102021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DOC 13102021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DOC 13102021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DOC 13102021.exe