Windows Analysis Report correction HAWB.exe

ID:	502575
Product:	CloudBasic
Start time:	04:25:07
Start date:	14.10.2021
Sample:	correction HAWB.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	8a29580d47943a0f2c61ca552a63bc30
SHA1:	e4cdec934b4bfc2e055216c03ac7056069100b05
SHA256:	53c0cf2d25f350a579729af76c466b68b899586b620ffae8925fcb4d831dc2c8
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Name	Type	MD5	SHA1	SHA256

AV Detection:

Found malware configuration

Source: 00000000.00000002.758213767.0000000002110000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=d"}

Machine Learning detection for sample

Source: correction HAWB.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: correction HAWB.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=d

System Summary:

Potential malicious icon found

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Uses 32bit PE files

Source: correction HAWB.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Sample file is different than original file name gathered from version info

Source: correction HAWB.exe, 00000000.00000002.758468268.0000000002890000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUnelega5.exeFE2X vs correction HAWB.exe
Source: correction HAWB.exe, 00000000.00000000.230189845.000000000041C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameUnelega5.exe vs correction HAWB.exe
Source: correction HAWB.exe	Binary or memory string: OriginalFilenameUnelega5.exe vs correction HAWB.exe

PE file contains strange resources

Source: correction HAWB.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\correction HAWB.exe

Process Stats: CPU usage > 98%

Detected potential crypto function

Source: C:\Users\user\Desktop\correction HAWB.exe	Code function: 0_2_004022BB		0_2_004022BB
Source: C:\Users\user\Desktop\correction HAWB.exe	Code function: 0_2_00403444		0_2_00403444
Source: C:\Users\user\Desktop\correction HAWB.exe	Code function: 0_2_0040322C		0_2_0040322C
Source: C:\Users\user\Desktop\correction HAWB.exe	Code function: 0_2_004034DC		0_2_004034DC
Source: C:\Users\user\Desktop\correction HAWB.exe	Code function: 0_2_004032B6		0_2_004032B6
Source: C:\Users\user\Desktop\correction HAWB.exe	Code function: 0_2_0040333F		0_2_0040333F
Source: C:\Users\user\Desktop\correction HAWB.exe	Code function: 0_2_004033CA		0_2_004033CA
Source: C:\Users\user\Desktop\correction HAWB.exe	Code function: 0_2_004031AB		0_2_004031AB

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\correction HAWB.exe

Code function: String function: 0040177E appears 94 times

PE file has an executable .text section and no other executable section

Source: correction HAWB.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Users\user\Desktop\correction HAWB.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)

Source: C:\Users\user\Desktop\correction HAWB.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Classification label

Source: classification engine

Classification label: mal76.rans.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.758213767.0000000002110000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\correction HAWB.exe	Code function: 0_2_00403C72 push eax; iretd		0_2_00403C73
Source: C:\Users\user\Desktop\correction HAWB.exe	Code function: 0_2_0040440B pushad ; iretd		0_2_00404415
Source: C:\Users\user\Desktop\correction HAWB.exe	Code function: 0_2_00405ADE push esi; ret		0_2_00405AEC
Source: C:\Users\user\Desktop\correction HAWB.exe	Code function: 0_2_00406AE7 push ss; iretd		0_2_00406AE8
Source: C:\Users\user\Desktop\correction HAWB.exe	Code function: 0_2_0040695C push eax; ret		0_2_00406974
Source: C:\Users\user\Desktop\correction HAWB.exe	Code function: 0_2_00406F76 push 0000002Ch; iretd		0_2_00406F78
Source: C:\Users\user\Desktop\correction HAWB.exe	Code function: 0_2_004057DC push ecx; ret		0_2_004057E0
Source: C:\Users\user\Desktop\correction HAWB.exe	Code function: 0_2_00407BBE push eax; retf		0_2_00407BBF

Binary may include packed or encrypted code

Source: initial sample

Static PE information: section name: .text entropy: 6.82320580255

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\correction HAWB.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\correction HAWB.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\correction HAWB.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\correction HAWB.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\correction HAWB.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\correction HAWB.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\correction HAWB.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\correction HAWB.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\correction HAWB.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\correction HAWB.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\correction HAWB.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\correction HAWB.exe	Code function: 0_2_004022BB mov ebx, dword ptr fs:[00000030h]		0_2_004022BB
Source: C:\Users\user\Desktop\correction HAWB.exe	Code function: 0_2_004031AB mov ebx, dword ptr fs:[00000030h]		0_2_004031AB

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Source: correction HAWB.exe, 00000000.00000002.757533942.0000000000C60000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: correction HAWB.exe, 00000000.00000002.757533942.0000000000C60000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: correction HAWB.exe, 00000000.00000002.757533942.0000000000C60000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: correction HAWB.exe, 00000000.00000002.757533942.0000000000C60000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: correction HAWB.exe, 00000000.00000002.757533942.0000000000C60000.00000002.00020000.sdmp	Binary or memory string: Progmanlock