Windows Analysis Report
8NU1qpOatQ.exe

Overview

General Information

Sample name: 8NU1qpOatQ.exe
renamed because original name is a hash value
Original sample name: 20c840940536dc89016f7d4c78cce2c839ee2106.exe
Analysis ID: 1546796
MD5: a0c776661815d65a51c4d4c7da408f4d
SHA1: 20c840940536dc89016f7d4c78cce2c839ee2106
SHA256: a82da08a181eafbcc779f5af962eebe04e3b973c40f90a37f42ea8d3de7fc70f
Tags: exeReversingLabsuser-NDA0E
Infos:

Detection

MofongoLoader
Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected MofongoLoader
AI detected suspicious sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain checking for process token information
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 8NU1qpOatQ.exe ReversingLabs: Detection: 52%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.7% probability
Source: 8NU1qpOatQ.exe Static PE information: certificate valid
Source: 8NU1qpOatQ.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF75343B184 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00007FF75343B184
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.8:49714
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.8:49709
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: cloudnetworkverify.com replaycode: Server failure (2)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: cloudnetworkverify.com
Source: 8NU1qpOatQ.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 8NU1qpOatQ.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 8NU1qpOatQ.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 8NU1qpOatQ.exe String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: 8NU1qpOatQ.exe String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: 8NU1qpOatQ.exe String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: 8NU1qpOatQ.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 8NU1qpOatQ.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 8NU1qpOatQ.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 8NU1qpOatQ.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: 8NU1qpOatQ.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: 8NU1qpOatQ.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: 8NU1qpOatQ.exe String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: 8NU1qpOatQ.exe String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: 8NU1qpOatQ.exe String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: 8NU1qpOatQ.exe String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: 8NU1qpOatQ.exe String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: 8NU1qpOatQ.exe String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: 8NU1qpOatQ.exe, 00000000.00000002.1580998541.000001E3FD397000.00000004.00000020.00020000.00000000.sdmp, 8NU1qpOatQ.exe, 00000000.00000002.1580998541.000001E3FD380000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cloudnetworkverify.com/
Source: 8NU1qpOatQ.exe, 00000000.00000002.1580998541.000001E3FD380000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cloudnetworkverify.com/CS4/Dc
Source: 8NU1qpOatQ.exe, 00000000.00000002.1580998541.000001E3FD397000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cloudnetworkverify.com/MI
Source: 8NU1qpOatQ.exe, 00000000.00000002.1580998541.000001E3FD397000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cloudnetworkverify.com/RouteHelper.dll
Source: 8NU1qpOatQ.exe, 00000000.00000002.1580998541.000001E3FD380000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cloudnetworkverify.com/lH
Source: 8NU1qpOatQ.exe, 00000000.00000002.1580998541.000001E3FD380000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cloudnetworkverify.com/ll
Source: 8NU1qpOatQ.exe, 8NU1qpOatQ.exe, 00000000.00000002.1581225051.00007FF75345A000.00000040.00000001.01000000.00000003.sdmp, 8NU1qpOatQ.exe, 00000000.00000002.1580998541.000001E3FD3C5000.00000004.00000020.00020000.00000000.sdmp, 8NU1qpOatQ.exe, 00000000.00000002.1580843749.000001E3FBAEE000.00000004.00000020.00020000.00000000.sdmp, 8NU1qpOatQ.exe, 00000000.00000002.1580998541.000001E3FD3A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cloudnetworkverify.com/windows/verify
Source: 8NU1qpOatQ.exe, 00000000.00000002.1580843749.000001E3FBAEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cloudnetworkverify.com/windows/verify_
Source: 8NU1qpOatQ.exe, 00000000.00000002.1580998541.000001E3FD3A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cloudnetworkverify.com/windows/verifyc94s
Source: 8NU1qpOatQ.exe, 00000000.00000002.1580843749.000001E3FBAAA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cloudnetworkverify.com/windows/verifyed
Source: 8NU1qpOatQ.exe, 00000000.00000002.1580998541.000001E3FD3A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cloudnetworkverify.com/windows/verifyn
Source: 8NU1qpOatQ.exe String found in binary or memory: https://www.globalsign.com/repository/0
Detected potential crypto function
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF7534386A4 0_2_00007FF7534386A4
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753400990 0_2_00007FF753400990
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF75343E418 0_2_00007FF75343E418
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF75342A3A4 0_2_00007FF75342A3A4
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753434260 0_2_00007FF753434260
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF75343B184 0_2_00007FF75343B184
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF75342B12C 0_2_00007FF75342B12C
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF75342A1B8 0_2_00007FF75342A1B8
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753434720 0_2_00007FF753434720
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF75342A590 0_2_00007FF75342A590
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF75342BD00 0_2_00007FF75342BD00
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753412B20 0_2_00007FF753412B20
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753441BF4 0_2_00007FF753441BF4
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF75342AC08 0_2_00007FF75342AC08
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753430BA4 0_2_00007FF753430BA4
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF75342EA60 0_2_00007FF75342EA60
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF75343FA7C 0_2_00007FF75343FA7C
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753439A44 0_2_00007FF753439A44
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF75342DAD0 0_2_00007FF75342DAD0
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF7534339A0 0_2_00007FF7534339A0
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF75342E004 0_2_00007FF75342E004
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF75343CE68 0_2_00007FF75343CE68
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753431EE4 0_2_00007FF753431EE4
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753434DB4 0_2_00007FF753434DB4
Sample file is different than original file name gathered from version info
Source: 8NU1qpOatQ.exe, 00000000.00000000.1573061891.00007FF7534B2000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameP0 vs 8NU1qpOatQ.exe
Source: 8NU1qpOatQ.exe, 00000000.00000003.1575210337.000001E3FD932000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameP0 vs 8NU1qpOatQ.exe
Source: 8NU1qpOatQ.exe Binary or memory string: OriginalFilenameP0 vs 8NU1qpOatQ.exe
Source: classification engine Classification label: mal60.troj.winEXE@1/0@1/0
Source: 8NU1qpOatQ.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 8NU1qpOatQ.exe ReversingLabs: Detection: 52%
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe File read: C:\Users\user\Desktop\8NU1qpOatQ.exe Jump to behavior
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: 8NU1qpOatQ.exe Static PE information: certificate valid
Source: 8NU1qpOatQ.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: 8NU1qpOatQ.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: 8NU1qpOatQ.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 8NU1qpOatQ.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 8NU1qpOatQ.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 8NU1qpOatQ.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 8NU1qpOatQ.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
Yara detected MofongoLoader
Source: Yara match File source: 00000000.00000003.1575210337.000001E3FD881000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1581154703.00007FF753400000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1575514282.000001E3FD38E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1573061891.00007FF753400000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1575394016.000001E3FBAFD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753411300 _Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,CheckTokenMembership,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress, 0_2_00007FF753411300
PE file contains an invalid checksum
Source: 8NU1qpOatQ.exe Static PE information: real checksum: 0xbf982 should be: 0xbb089
PE file contains sections with non-standard names
Source: 8NU1qpOatQ.exe Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF75345D1FA push rsp; retf 0_2_00007FF75345D1FB
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753447858 push rbp; retf 0_2_00007FF753447863
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753447880 push rbp; retf 0_2_00007FF753447863
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753447880 push r14; retf 0_2_00007FF753447893
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753447848 push rsi; retf 0_2_00007FF753447853
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753447838 push rsi; retf 0_2_00007FF75344783B
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753447840 push rsi; retf 0_2_00007FF753447843
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753447840 push r14; retf 0_2_00007FF753447893
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753447908 push rbp; retf 0_2_00007FF753447923
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753447910 push rsp; retf 0_2_00007FF753447913
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF7534478A8 push rsi; retf 0_2_00007FF7534478AB
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF7534478B0 push rbp; retf 0_2_00007FF7534478B3
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753447898 push rbp; retf 0_2_00007FF75344789B
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF7534478B8 push rbp; retf 0_2_00007FF7534478BB
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF7534478C0 push rbp; retf 0_2_00007FF75344789B
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF7534478C0 push r14; retf 0_2_00007FF7534478D3
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF75345E604 push rax; ret 0_2_00007FF75345E609
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753447A68 push rsi; retf 0_2_00007FF753447A73
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753447A58 push rbp; retf 0_2_00007FF753447A63
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753447A60 push rdi; retf 0_2_00007FF753447A6B
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753447A88 push r14; retf 0_2_00007FF753447A8B
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753447A90 push rsi; retf 0_2_00007FF753447A9B
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753447A80 push rsi; retf 0_2_00007FF753447A83
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753447A18 push rbp; retf 0_2_00007FF7534479F3
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753447A50 push rbp; retf 0_2_00007FF753447A53
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753447A98 push rsi; retf 0_2_00007FF753447A9B
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753447AB8 push rbp; retf 0_2_00007FF753447ABB
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753447968 push rbp; retf 0_2_00007FF75344796B
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753447970 push rbp; retf 0_2_00007FF753447973
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753447960 push rsi; retf 0_2_00007FF753447963
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753447990 push rbp; retf 0_2_00007FF753447993
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753400990 _Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,Concurrency::details::WorkQueue::IsStructuredEmpty,InternetOpenW,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,Concurrency::details::WorkQueue::IsStructuredEmpty,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,InternetConnectW,InternetCloseHandle,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,Concurrency::details::WorkQueue::IsStructuredEmpty,HttpSendRequestA,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,InternetCloseHandle,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,HttpQueryInfoW,GetLastError,HttpQueryInfoW,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,MultiByteToWideChar,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,MultiByteToWideChar,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress, 0_2_00007FF753400990
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF75343B184 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00007FF75343B184
Source: 8NU1qpOatQ.exe, 00000000.00000002.1580998541.000001E3FD3A1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753429358 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF753429358
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753411300 _Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,CheckTokenMembership,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress, 0_2_00007FF753411300
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF75343F768 GetProcessHeap, 0_2_00007FF75343F768
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753429358 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF753429358
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF7534231C4 SetUnhandledExceptionFilter, 0_2_00007FF7534231C4
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753447908 RtlLookupFunctionEntry,SetUnhandledExceptionFilter, 0_2_00007FF753447908
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753447920 SetUnhandledExceptionFilter, 0_2_00007FF753447920
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753423010 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF753423010
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF753444478 cpuid 0_2_00007FF753444478
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00007FF75343F448
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00007FF75343F258
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: GetLocaleInfoW, 0_2_00007FF75343F30C
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: EnumSystemLocalesW, 0_2_00007FF753447A68
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: GetLocaleInfoW, 0_2_00007FF753447A50
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: EnumSystemLocalesW, 0_2_00007FF753435940
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_00007FF75343E9D4
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: GetLocaleInfoW, 0_2_00007FF75343F0F0
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00007FF75343EEA0
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: EnumSystemLocalesW, 0_2_00007FF75343ED30
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: GetLocaleInfoW, 0_2_00007FF753435E10
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: EnumSystemLocalesW, 0_2_00007FF75343EE04
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Code function: 0_2_00007FF7534478F0 LCMapStringEx,GetSystemTimeAsFileTime, 0_2_00007FF7534478F0
Source: C:\Users\user\Desktop\8NU1qpOatQ.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1546796 Sample: 8NU1qpOatQ.exe Startdate: 01/11/2024 Architecture: WINDOWS Score: 60 8 cloudnetworkverify.com 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected MofongoLoader 2->12 14 AI detected suspicious sample 2->14 6 8NU1qpOatQ.exe 12 2->6         started        signatures3 process4
No contacted IP infos

Contacted Domains

Name IP Active
cloudnetworkverify.com unknown unknown