Windows Analysis Report correction HAWB.exe

Overview

General Information

Sample Name: correction HAWB.exe
Analysis ID: 1656
MD5: 8a29580d47943a0f2c61ca552a63bc30
SHA1: e4cdec934b4bfc2e055216c03ac7056069100b05
SHA256: 53c0cf2d25f350a579729af76c466b68b899586b620ffae8925fcb4d831dc2c8
Infos:

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Potential malicious icon found
Yara detected AgentTesla
Sigma detected: RegAsm connects to smtp port
Yara detected GuLoader
Hides threads from debuggers
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: UserOOBEBroker.exe.1772.17.memstrmin Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "purchasing@cselegance.comCSE.868mail.cselegance.com"}

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_1C89ED10 CryptUnprotectData, 7_2_1C89ED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_1C89F3A1 CryptUnprotectData, 7_2_1C89F3A1

Compliance:

barindex
Uses 32bit PE files
Source: correction HAWB.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49768 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.193:443 -> 192.168.11.20:49769 version: TLS 1.2
Source: Binary string: RegAsm.pdb source: tKZVPq.exe, tKZVPq.exe.7.dr
Source: Binary string: RegAsm.pdb4 source: tKZVPq.exe, 0000000C.00000002.4115929077.0000000000FE2000.00000002.00020000.sdmp, tKZVPq.exe, 0000000F.00000002.4195528975.00000000009A2000.00000002.00020000.sdmp, tKZVPq.exe.7.dr

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.11.20:49771 -> 116.0.120.83:587
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GTC-MY-PIP-ASGlobalTransitCommunications-MalaysiaMY GTC-MY-PIP-ASGlobalTransitCommunications-MalaysiaMY
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 116.0.120.83 116.0.120.83
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1-G0aaBcc_jufuDxKNgbgyGXCFadOz4oO HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/t4shmnlujbaqahk4bi15tv00ii385av2/1634178900000/16524389560697724177/*/1-G0aaBcc_jufuDxKNgbgyGXCFadOz4oO?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-08-28-docs.googleusercontent.comConnection: Keep-Alive
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.11.20:49771 -> 116.0.120.83:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.11.20:49771 -> 116.0.120.83:587
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: RegAsm.exe, 00000007.00000002.8380892520.000000001DAF6000.00000004.00000001.sdmp String found in binary or memory: subdomain_match":["go","tv"]},{"applied_policy":"EdgeUA","domain":"video.zhihu.com"},{"applied_policy":"ChromeUA","domain":"la7.it"},{"applied_policy":"ChromeUA","domain":"ide.cs50.io"},{"applied_policy":"ChromeUA","domain":"moneygram.com"},{"applied_policy":"ChromeUA","domain":"blog.esuteru.com"},{"applied_policy":"ChromeUA","domain":"online.tivo.com","path_match":["/start"]},{"applied_policy":"ChromeUA","domain":"smallbusiness.yahoo.com","path_match":["/businessmaker"]},{"applied_policy":"ChromeUA","domain":"jeeready.amazon.in","path_match":["/home"]},{"applied_policy":"ChromeUA","domain":"abc.com"},{"applied_policy":"ChromeUA","domain":"mvsrec738.examly.io"},{"applied_policy":"ChromeUA","domain":"myslate.sixphrase.com"},{"applied_policy":"ChromeUA","domain":"search.norton.com","path_match":["/nsssOnboarding"]},{"applied_policy":"ChromeUA","domain":"checkdecide.com"},{"applied_policy":"ChromeUA","domain":"virtualvisitlogin.partners.org"},{"applied_policy":"ChromeUA","domain":"carelogin.bryantelemedicine.com"},{"applied_policy":"ChromeUA","domain":"providerstc.hs.utah.gov"},{"applied_policy":"ChromeUA","domain":"applychildcaresubsidy.alberta.ca"},{"applied_policy":"ChromeUA","domain":"elearning.evn.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"telecare.keckmedicine.org"},{"applied_policy":"ChromeUA","domain":"authoring.amirsys.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"elearning.seabank.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"app.fields.corteva.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"gsq.minornet.com"},{"applied_policy":"ChromeUA","domain":"shop.lic.co.nz"},{"applied_policy":"ChromeUA","domain":"telehealthportal.uofuhealth.org"},{"applied_policy":"ChromeUA","domain":"portal.centurylink.com"},{"applied_policy":"ChromeUA","domain":"visitnow.org"},{"applied_policy":"ChromeUA","domain":"www.hotstar.com","path_match":["/in/subscribe/payment/methods/dc","/in/subscribe/payment/methods/cc"]},{"applied_policy":"ChromeUA","domain":"tryca.st","path_match":["/studio","/publisher"]},{"applied_policy":"ChromeUA","domain":"telemost.yandex.ru"},{"applied_policy":"ChromeUA","domain":"astrogo.astro.com.my"},{"applied_policy":"ChromeUA","domain":"airbornemedia.gogoinflight.com"},{"applied_policy":"ChromeUA","domain":"itoaxaca.mindbox.app"},{"applied_policy":"ChromeUA","domain":"app.classkick.com"},{"applied_policy":"ChromeUA","domain":"exchangeservicecenter.com","path_match":["/freeze"]},{"applied_policy":"ChromeUA","domain":"bancodeoccidente.com.co","path_match":["/portaltransaccional"]},{"applied_policy":"ChromeUA","domain":"better.com"},{"applied_policy":"IEUA","domain":"bm.gzekao.cn","path_match":["/tr/webregister/"]},{"applied_policy":"ChromeUA","domain":"scheduling.care.psjhealth.org","path_match":["/virtual"]},{"applied_policy":"ChromeUA","domain":"salud.go.cr"},{"applied_policy":"ChromeUA","domain":"learning.chungdahm.com"},{"applied_policy":"C
Source: RegAsm.exe, 00000007.00000002.8380111220.000000001DA61000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 00000007.00000002.8380892520.000000001DAF6000.00000004.00000001.sdmp, RegAsm.exe, 00000007.00000002.8381893375.000000001DB81000.00000004.00000001.sdmp String found in binary or memory: http://AVyHehd5cM53ZVmf.org
Source: RegAsm.exe, 00000007.00000002.8380892520.000000001DAF6000.00000004.00000001.sdmp String found in binary or memory: http://AVyHehd5cM53ZVmf.org(6
Source: RegAsm.exe, 00000007.00000002.8380892520.000000001DAF6000.00000004.00000001.sdmp String found in binary or memory: http://AVyHehd5cM53ZVmf.orgt-
Source: RegAsm.exe, 00000007.00000002.8380111220.000000001DA61000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 00000007.00000002.8380111220.000000001DA61000.00000004.00000001.sdmp String found in binary or memory: http://JgQKqy.com
Source: RegAsm.exe, 00000007.00000003.3793085932.0000000000DC6000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegAsm.exe, 00000007.00000003.3793085932.0000000000DC6000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 00000007.00000002.8381687035.000000001DB71000.00000004.00000001.sdmp String found in binary or memory: http://cselegance.com
Source: RegAsm.exe, 00000007.00000002.8381687035.000000001DB71000.00000004.00000001.sdmp String found in binary or memory: http://mail.cselegance.com
Source: UserOOBEBroker.exe, 00000011.00000002.8367603018.0000027B2F3F0000.00000002.00020000.sdmp String found in binary or memory: http://schemas.microso
Source: RegAsm.exe, 00000007.00000003.3793085932.0000000000DC6000.00000004.00000001.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: RegAsm.exe, 00000007.00000003.3793565096.0000000000DC1000.00000004.00000001.sdmp String found in binary or memory: https://doc-08-28-docs.googleusercontent.com/
Source: RegAsm.exe, 00000007.00000003.3793565096.0000000000DC1000.00000004.00000001.sdmp String found in binary or memory: https://doc-08-28-docs.googleusercontent.com/I
Source: RegAsm.exe, 00000007.00000003.3793565096.0000000000DC1000.00000004.00000001.sdmp String found in binary or memory: https://doc-08-28-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/t4shmnlu
Source: RegAsm.exe, 00000007.00000003.3793565096.0000000000DC1000.00000004.00000001.sdmp String found in binary or memory: https://doc-08-28-docs.googleusercontent.com/eU
Source: RegAsm.exe, 00000007.00000002.8369321022.0000000000D38000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/2wHG
Source: RegAsm.exe, 00000007.00000002.8369321022.0000000000D38000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/Bw
Source: RegAsm.exe, 00000007.00000003.3793565096.0000000000DC1000.00000004.00000001.sdmp, RegAsm.exe, 00000007.00000002.8368434172.0000000000C00000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1-G0aaBcc_jufuDxKNgbgyGXCFadOz4oO
Source: RegAsm.exe, 00000007.00000002.8369321022.0000000000D38000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1-G0aaBcc_jufuDxKNgbgyGXCFadOz4oOUs
Source: RegAsm.exe, 00000007.00000003.3793565096.0000000000DC1000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1-G0aaBcc_jufuDxKNgbgyGXCFadOz4oOVsEG
Source: RegAsm.exe, 00000007.00000002.8381984126.000000001DB87000.00000004.00000001.sdmp, RegAsm.exe, 00000007.00000002.8380502286.000000001DAB2000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/
Source: RegAsm.exe, 00000007.00000002.8381984126.000000001DB87000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com//
Source: RegAsm.exe, 00000007.00000002.8381984126.000000001DB87000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/https://login.live.com/
Source: RegAsm.exe, 00000007.00000002.8381984126.000000001DB87000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/v104
Source: RegAsm.exe, 00000007.00000002.8380502286.000000001DAB2000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: RegAsm.exe, 00000007.00000002.8380111220.000000001DA61000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1-G0aaBcc_jufuDxKNgbgyGXCFadOz4oO HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/t4shmnlujbaqahk4bi15tv00ii385av2/1634178900000/16524389560697724177/*/1-G0aaBcc_jufuDxKNgbgyGXCFadOz4oO?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-08-28-docs.googleusercontent.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49768 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.193:443 -> 192.168.11.20:49769 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands:

barindex
Modifies the hosts file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Uses 32bit PE files
Source: correction HAWB.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Detected potential crypto function
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 1_2_004022BB 1_2_004022BB
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 1_2_00403444 1_2_00403444
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 1_2_0040322C 1_2_0040322C
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 1_2_004034DC 1_2_004034DC
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 1_2_004032B6 1_2_004032B6
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 1_2_0040333F 1_2_0040333F
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 1_2_004033CA 1_2_004033CA
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 1_2_004031AB 1_2_004031AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_008A1130 7_2_008A1130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_008A3A50 7_2_008A3A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_008AC278 7_2_008AC278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_008A4320 7_2_008A4320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_008ACFD8 7_2_008ACFD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_008A3708 7_2_008A3708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_00C9C5D8 7_2_00C9C5D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_00C9E29F 7_2_00C9E29F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_00C94EB0 7_2_00C94EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_00C9FC18 7_2_00C9FC18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_00C99DB8 7_2_00C99DB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_00C91D28 7_2_00C91D28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_1C89B9B0 7_2_1C89B9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_1C897106 7_2_1C897106
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_1C893D70 7_2_1C893D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_1C896E90 7_2_1C896E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_1C89C428 7_2_1C89C428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_1C89C328 7_2_1C89C328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_1D895E08 7_2_1D895E08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_1D894ACC 7_2_1D894ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_1D895DC1 7_2_1D895DC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_1D896AF1 7_2_1D896AF1
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 12_2_00FE3DFE 12_2_00FE3DFE
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 15_2_009A3DFE 15_2_009A3DFE
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: String function: 0040177E appears 94 times
Sample file is different than original file name gathered from version info
Source: correction HAWB.exe, 00000001.00000000.3317832386.000000000041C000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameUnelega5.exe vs correction HAWB.exe
Source: correction HAWB.exe, 00000001.00000002.3822812201.0000000002B70000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUnelega5.exeFE2X vs correction HAWB.exe
Source: correction HAWB.exe Binary or memory string: OriginalFilenameUnelega5.exe vs correction HAWB.exe
PE file contains strange resources
Source: correction HAWB.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\correction HAWB.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\oobe\UserOOBEBroker.exe Section loaded: edgegdi.dll Jump to behavior
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe C066AEE7AA3AA83F763EBC5541DAA266ED6C648FBFFCDE0D836A13B221BB2ADC
Source: correction HAWB.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\correction HAWB.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\correction HAWB.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\correction HAWB.exe 'C:\Users\user\Desktop\correction HAWB.exe'
Source: C:\Users\user\Desktop\correction HAWB.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\correction HAWB.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe 'C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe'
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe 'C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe'
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\oobe\UserOOBEBroker.exe C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
Source: C:\Users\user\Desktop\correction HAWB.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\correction HAWB.exe' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Roaming\tKZVPq Jump to behavior
Source: classification engine Classification label: mal100.rans.spre.troj.adwa.spyw.evad.winEXE@9/6@4/3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:412:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:412:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6796:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7632:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7632:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6796:120:WilError_03
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Binary string: RegAsm.pdb source: tKZVPq.exe, tKZVPq.exe.7.dr
Source: Binary string: RegAsm.pdb4 source: tKZVPq.exe, 0000000C.00000002.4115929077.0000000000FE2000.00000002.00020000.sdmp, tKZVPq.exe, 0000000F.00000002.4195528975.00000000009A2000.00000002.00020000.sdmp, tKZVPq.exe.7.dr

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.3821567072.00000000022E0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 1_2_00403C72 push eax; iretd 1_2_00403C73
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 1_2_0040440B pushad ; iretd 1_2_00404415
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 1_2_00405ADE push esi; ret 1_2_00405AEC
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 1_2_00406AE7 push ss; iretd 1_2_00406AE8
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 1_2_0040695C push eax; ret 1_2_00406974
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 1_2_00406F76 push 0000002Ch; iretd 1_2_00406F78
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 1_2_004057DC push ecx; ret 1_2_004057E0
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 1_2_00407BBE push eax; retf 1_2_00407BBF
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 1_2_022E4A7F push eax; ret 1_2_022E4A85
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 1_2_022E08A6 push es; iretd 1_2_022E08A7
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 1_2_022E0B36 push B85A74BAh; iretd 1_2_022E0B3C
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 1_2_022E250C push eax; ret 1_2_022E250D
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 1_2_022E175C push eax; ret 1_2_022E175D
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 1_2_022E2F59 push edx; ret 1_2_022E2F5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_1C891530 push ss; mov dword ptr [esp], ebx 7_2_1C8921A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_1C891530 push ds; mov dword ptr [esp], ebx 7_2_1C8924E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_1C891530 push ds; mov dword ptr [esp], ebx 7_2_1C892532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_1C891530 push ds; mov dword ptr [esp], ebx 7_2_1C89253E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_1C891530 push ds; mov dword ptr [esp], ebx 7_2_1C89257E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_1C891530 push ds; mov dword ptr [esp], ebx 7_2_1C89258A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_1C891530 push ds; mov dword ptr [esp], ebx 7_2_1C8925CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_1C891530 push ds; mov dword ptr [esp], ebx 7_2_1C8925D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_1C891530 push ds; mov dword ptr [esp], ebx 7_2_1C892616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_1C891530 push ds; mov dword ptr [esp], ebx 7_2_1C892622
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 12_2_00FE4469 push cs; retf 12_2_00FE449E
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 12_2_00FE44A3 push es; retf 12_2_00FE44A4
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 12_2_00FE4289 push es; retf 12_2_00FE4294
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 15_2_009A4289 push es; retf 15_2_009A4294
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 15_2_009A4469 push cs; retf 15_2_009A449E
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 15_2_009A44A3 push es; retf 15_2_009A44A4
Source: initial sample Static PE information: section name: .text entropy: 6.82320580255

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tKZVPq Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tKZVPq Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\correction HAWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\correction HAWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\correction HAWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\correction HAWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\correction HAWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\correction HAWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\correction HAWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\correction HAWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\correction HAWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\correction HAWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\correction HAWB.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\correction HAWB.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: correction HAWB.exe, 00000001.00000002.3821675907.0000000002310000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\REGASM.EXE\SYSWOW64\MSVBVM60.DLL
Source: correction HAWB.exe, 00000001.00000002.3820725967.00000000006BD000.00000004.00000020.sdmp Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEXE
Source: correction HAWB.exe, 00000001.00000002.3821675907.0000000002310000.00000004.00000001.sdmp, RegAsm.exe, 00000007.00000002.8368434172.0000000000C00000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: RegAsm.exe, 00000007.00000002.8368434172.0000000000C00000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32USERPROFILE=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=1-G0AABCC_JUFUDXKNGBGYGXCFADOZ4OO
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe TID: 7312 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe TID: 4340 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 9956 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\correction HAWB.exe System information queried: ModuleInformation Jump to behavior
Source: correction HAWB.exe, 00000001.00000002.3822938960.0000000004799000.00000004.00000001.sdmp, RegAsm.exe, 00000007.00000002.8372298928.0000000002669000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: correction HAWB.exe, 00000001.00000002.3822938960.0000000004799000.00000004.00000001.sdmp, RegAsm.exe, 00000007.00000002.8372298928.0000000002669000.00000004.00000001.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: RegAsm.exe, 00000007.00000002.8372298928.0000000002669000.00000004.00000001.sdmp Binary or memory string: vmicshutdown
Source: correction HAWB.exe, 00000001.00000002.3822938960.0000000004799000.00000004.00000001.sdmp, RegAsm.exe, 00000007.00000002.8372298928.0000000002669000.00000004.00000001.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: correction HAWB.exe, 00000001.00000002.3821675907.0000000002310000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32USERPROFILE=windir=\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe\syswow64\msvbvm60.dll
Source: correction HAWB.exe, 00000001.00000002.3820725967.00000000006BD000.00000004.00000020.sdmp Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exexe
Source: RegAsm.exe, 00000007.00000002.8368434172.0000000000C00000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32USERPROFILE=https://drive.google.com/uc?export=download&id=1-G0aaBcc_jufuDxKNgbgyGXCFadOz4oO
Source: correction HAWB.exe, 00000001.00000002.3822938960.0000000004799000.00000004.00000001.sdmp, RegAsm.exe, 00000007.00000002.8372298928.0000000002669000.00000004.00000001.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: correction HAWB.exe, 00000001.00000002.3822938960.0000000004799000.00000004.00000001.sdmp, RegAsm.exe, 00000007.00000002.8372298928.0000000002669000.00000004.00000001.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: RegAsm.exe, 00000007.00000002.8372298928.0000000002669000.00000004.00000001.sdmp Binary or memory string: vmicvss
Source: RegAsm.exe, 00000007.00000002.8369968375.0000000000DA1000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: correction HAWB.exe, 00000001.00000002.3821675907.0000000002310000.00000004.00000001.sdmp, RegAsm.exe, 00000007.00000002.8368434172.0000000000C00000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: correction HAWB.exe, 00000001.00000002.3822938960.0000000004799000.00000004.00000001.sdmp, RegAsm.exe, 00000007.00000002.8372298928.0000000002669000.00000004.00000001.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: RegAsm.exe, 00000007.00000002.8369321022.0000000000D38000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAWPX
Source: correction HAWB.exe, 00000001.00000002.3822938960.0000000004799000.00000004.00000001.sdmp, RegAsm.exe, 00000007.00000002.8372298928.0000000002669000.00000004.00000001.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: correction HAWB.exe, 00000001.00000002.3822938960.0000000004799000.00000004.00000001.sdmp, RegAsm.exe, 00000007.00000002.8372298928.0000000002669000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: RegAsm.exe, 00000007.00000002.8372298928.0000000002669000.00000004.00000001.sdmp Binary or memory string: vmicheartbeat

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\correction HAWB.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 1_2_004022BB mov ebx, dword ptr fs:[00000030h] 1_2_004022BB
Source: C:\Users\user\Desktop\correction HAWB.exe Code function: 1_2_004031AB mov ebx, dword ptr fs:[00000030h] 1_2_004031AB
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\correction HAWB.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_008A7166 KiUserExceptionDispatcher,LdrInitializeThunk, 7_2_008A7166
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\correction HAWB.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 980000 Jump to behavior
Modifies the hosts file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\correction HAWB.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\correction HAWB.exe' Jump to behavior
Source: RegAsm.exe, 00000007.00000002.8371695995.0000000001210000.00000002.00020000.sdmp, UserOOBEBroker.exe, 00000011.00000002.8369058216.0000027B2FAB0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: RegAsm.exe, 00000007.00000002.8371695995.0000000001210000.00000002.00020000.sdmp, UserOOBEBroker.exe, 00000011.00000002.8369058216.0000027B2FAB0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000007.00000002.8371695995.0000000001210000.00000002.00020000.sdmp, UserOOBEBroker.exe, 00000011.00000002.8369058216.0000027B2FAB0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: RegAsm.exe, 00000007.00000002.8371695995.0000000001210000.00000002.00020000.sdmp, UserOOBEBroker.exe, 00000011.00000002.8369058216.0000027B2FAB0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Queries volume information: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Queries volume information: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Modifies the hosts file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000007.00000002.8380111220.000000001DA61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6712, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000007.00000002.8380111220.000000001DA61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6712, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000007.00000002.8380111220.000000001DA61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6712, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1656 Sample: correction HAWB.exe Startdate: 14/10/2021 Architecture: WINDOWS Score: 100 38 mail.cselegance.com 2->38 40 cselegance.com 2->40 42 3 other IPs or domains 2->42 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Potential malicious icon found 2->46 48 Found malware configuration 2->48 50 4 other signatures 2->50 8 correction HAWB.exe 2->8         started        11 tKZVPq.exe 2 2->11         started        13 tKZVPq.exe 1 2->13         started        15 UserOOBEBroker.exe 2->15         started        signatures3 process4 signatures5 60 Writes to foreign memory regions 8->60 62 Tries to detect Any.run 8->62 64 Hides threads from debuggers 8->64 17 RegAsm.exe 2 11 8->17         started        22 conhost.exe 11->22         started        24 conhost.exe 13->24         started        process6 dnsIp7 32 cselegance.com 116.0.120.83, 49771, 587 GTC-MY-PIP-ASGlobalTransitCommunications-MalaysiaMY Malaysia 17->32 34 googlehosted.l.googleusercontent.com 142.250.185.193, 443, 49769 GOOGLEUS United States 17->34 36 drive.google.com 172.217.168.46, 443, 49768 GOOGLEUS United States 17->36 28 C:\Users\user\AppData\Roaming\...\tKZVPq.exe, PE32 17->28 dropped 30 C:\Windows\System32\drivers\etc\hosts, ASCII 17->30 dropped 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->52 54 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->54 56 Tries to steal Mail credentials (via file access) 17->56 58 7 other signatures 17->58 26 conhost.exe 17->26         started        file8 signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.217.168.46
 drive.google.com United States
15169 GOOGLEUS false
142.250.185.193
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
116.0.120.83
 cselegance.com Malaysia
24218 GTC-MY-PIP-ASGlobalTransitCommunications-MalaysiaMY true

Contacted Domains

Name IP Active
cselegance.com 116.0.120.83 true
drive.google.com 172.217.168.46 true
googlehosted.l.googleusercontent.com 142.250.185.193 true
doc-08-28-docs.googleusercontent.com unknown unknown
mail.cselegance.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://doc-08-28-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/t4shmnlujbaqahk4bi15tv00ii385av2/1634178900000/16524389560697724177/*/1-G0aaBcc_jufuDxKNgbgyGXCFadOz4oO?e=download false
    		high