Windows Analysis Report
qxn9Zvy1at.exe

Overview

General Information

Sample name:	qxn9Zvy1at.exe renamed because original name is a hash value
Original sample name:	162b70c387c1a07d13b2f84112ac23bdb23dc1118fcddf2b9833434ad0e87b6c.exe
Analysis ID:	1436569
MD5:	1f6f7770d3a6339ae9719674be79f497
SHA1:	b50f4b90ded4697f031b75fb883c0e4eda53c90a
SHA256:	162b70c387c1a07d13b2f84112ac23bdb23dc1118fcddf2b9833434ad0e87b6c
Tags:	exemofong-loader
Infos:

Detection

MofongoLoader

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected MofongoLoader

Found direct / indirect Syscall (likely to bypass EDR)

Adds / modifies Windows certificates

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain checking for process token information

JA3 SSL client fingerprint seen in connection with other malware

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Classification

Signatures

Source: qxn9Zvy1at.exe

Static PE information: certificate valid

Source: unknown

HTTPS traffic detected: 172.67.214.45:443 -> 192.168.2.4:49733 version: TLS 1.2

Source: qxn9Zvy1at.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

Code function: 0_2_00007FF7EBE6DC20 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,

0_2_00007FF7EBE6DC20

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

Code function: 0_2_00007FF7EBE31550 _Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,Concurrency::details::WorkQueue::IsStructuredEmpty,InternetOpenW,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,Concurrency::details::WorkQueue::IsStructuredEmpty,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,InternetConnectW,InternetCloseHandle,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,Concurrency::details::WorkQueue::IsStructuredEmpty,HttpSendRequestA,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,InternetReadFile,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,MultiByteToWideChar,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,MultiByteToWideChar,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,InternetCloseHandle,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,

0_2_00007FF7EBE31550

Source: global traffic

DNS traffic detected: DNS query: securetestconnect.app

Source: unknown

HTTP traffic detected: POST /connection/test HTTP/1.1Content-Type: application/jsonUser-Agent: UA/1Host: securetestconnect.appContent-Length: 99Cache-Control: no-cache

Source: qxn9Zvy1at.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: qxn9Zvy1at.exe, 00000000.00000002.1629353878.0000015524989000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: qxn9Zvy1at.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: qxn9Zvy1at.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: qxn9Zvy1at.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: qxn9Zvy1at.exe, 00000000.00000002.1629353878.0000015524989000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.usertrust.
Source: qxn9Zvy1at.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: qxn9Zvy1at.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: qxn9Zvy1at.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: qxn9Zvy1at.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: qxn9Zvy1at.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: qxn9Zvy1at.exe, 00000000.00000002.1629483647.0000015524A1B000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000003.1628891408.0000015524A10000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000003.1628935115.0000015524A1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: qxn9Zvy1at.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: qxn9Zvy1at.exe, qxn9Zvy1at.exe, 00000000.00000002.1629533309.0000015524BFD000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000002.1629533309.0000015524BC0000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000003.1628918711.0000015524C03000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000002.1629585796.0000015524C04000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000002.1629353878.0000015524989000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000002.1629699590.00007FF7EBE8E000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://securetestconnect.app/connection/test
Source: qxn9Zvy1at.exe, 00000000.00000002.1629533309.0000015524BC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://securetestconnect.app/connection/testMain
Source: qxn9Zvy1at.exe, 00000000.00000002.1629533309.0000015524BFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://securetestconnect.app/connection/testn
Source: qxn9Zvy1at.exe, 00000000.00000002.1629533309.0000015524BC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://securetestconnect.app/f
Source: qxn9Zvy1at.exe, 00000000.00000002.1629533309.0000015524BC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://securetestconnect.app/r
Source: qxn9Zvy1at.exe, 00000000.00000002.1629483647.0000015524A1B000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000003.1628891408.0000015524A10000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000003.1628891408.0000015524A0D000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000003.1628935115.0000015524A1A000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000003.1628842693.0000015524A06000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000003.1628842693.00000155249FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: qxn9Zvy1at.exe, 00000000.00000003.1628918711.0000015524C03000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733

Source: unknown

HTTPS traffic detected: 172.67.214.45:443 -> 192.168.2.4:49733 version: TLS 1.2

Contains functionality to call native functions

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

Code function: 0_2_00007FF7EBE43D30 shared_ptr,shared_ptr,GetModuleHandleA,shared_ptr,shared_ptr,GetModuleHandleA,shared_ptr,shared_ptr,GetModuleHandleA,shared_ptr,shared_ptr,GetModuleHandleA,shared_ptr,shared_ptr,GetModuleHandleA,shared_ptr,shared_ptr,GetModuleHandleA,shared_ptr,shared_ptr,GetModuleHandleA,CreatePipe,SetHandleInformation,CreateProcessA,CloseHandle,CloseHandle,NtCreateSection,CloseHandle,CloseHandle,CloseHandle,CloseHandle,GetCurrentProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,GetStdHandle,ReadFile,GetCurrentProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,

0_2_00007FF7EBE43D30

Detected potential crypto function

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE43D30	0_2_00007FF7EBE43D30
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE6B5F0	0_2_00007FF7EBE6B5F0
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE5DCE4	0_2_00007FF7EBE5DCE4
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE64C78	0_2_00007FF7EBE64C78
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE6DC20	0_2_00007FF7EBE6DC20
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE61B30	0_2_00007FF7EBE61B30
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE679DC	0_2_00007FF7EBE679DC
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE639A0	0_2_00007FF7EBE639A0
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE6C930	0_2_00007FF7EBE6C930
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE5CFA0	0_2_00007FF7EBE5CFA0
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE66EAC	0_2_00007FF7EBE66EAC
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE5CDB8	0_2_00007FF7EBE5CDB8
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE70D88	0_2_00007FF7EBE70D88
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE60D6C	0_2_00007FF7EBE60D6C
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE6735C	0_2_00007FF7EBE6735C
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE72364	0_2_00007FF7EBE72364
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE6127C	0_2_00007FF7EBE6127C
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE74248	0_2_00007FF7EBE74248
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE5D188	0_2_00007FF7EBE5D188
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE5E870	0_2_00007FF7EBE5E870
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE6F858	0_2_00007FF7EBE6F858
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE5D7D0	0_2_00007FF7EBE5D7D0
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE6663C	0_2_00007FF7EBE6663C

Sample file is different than original file name gathered from version info

Source: qxn9Zvy1at.exe, 00000000.00000002.1629718940.00007FF7EBEDF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCloudNetCheck.exelJ vs qxn9Zvy1at.exe
Source: qxn9Zvy1at.exe, 00000000.00000003.1620517133.00000155250DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudNetCheck.exelJ vs qxn9Zvy1at.exe
Source: qxn9Zvy1at.exe	Binary or memory string: OriginalFilenameCloudNetCheck.exelJ vs qxn9Zvy1at.exe

Source: classification engine

Classification label: mal52.troj.evad.winEXE@3/0@1/1

Source: qxn9Zvy1at.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

File read: C:\Users\user\Desktop\qxn9Zvy1at.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\qxn9Zvy1at.exe "C:\Users\user\Desktop\qxn9Zvy1at.exe"
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"	Jump to behavior

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: qxn9Zvy1at.exe

Static PE information: certificate valid

Source: qxn9Zvy1at.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: qxn9Zvy1at.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: qxn9Zvy1at.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: qxn9Zvy1at.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: qxn9Zvy1at.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: qxn9Zvy1at.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: qxn9Zvy1at.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: qxn9Zvy1at.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: qxn9Zvy1at.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: qxn9Zvy1at.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: qxn9Zvy1at.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: qxn9Zvy1at.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: qxn9Zvy1at.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: qxn9Zvy1at.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Yara detected MofongoLoader

Source: Yara match	File source: 00000000.00000003.1619237473.0000015524A16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1619549911.0000015524A13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1629656340.00007FF7EBE31000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1617145667.00007FF7EBE31000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1620726266.0000015524BC3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1617672578.00000155249B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1620517133.0000015525031000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1619140980.0000015524A05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1620645632.00000155249ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1619366078.00000155249ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

Code function: 0_2_00007FF7EBE44C20 _Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,QueryFullProcessImageNameW,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,_Mtx_guard::~_Mtx_guard,

0_2_00007FF7EBE44C20

PE file contains an invalid checksum

Source: qxn9Zvy1at.exe

Static PE information: real checksum: 0xbd572 should be: 0xb7269

PE file contains sections with non-standard names

Source: qxn9Zvy1at.exe

Static PE information: section name: _RDATA

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

0_2_00007FF7EBE31550

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

Code function: 0_2_00007FF7EBE6DC20 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,

0_2_00007FF7EBE6DC20

Source: qxn9Zvy1at.exe, 00000000.00000003.1628918711.0000015524C03000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000002.1629585796.0000015524C04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW7fvq
Source: qxn9Zvy1at.exe, 00000000.00000002.1629533309.0000015524BC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW{
Source: qxn9Zvy1at.exe, 00000000.00000002.1629353878.00000155249FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

Code function: 0_2_00007FF7EBE5BFC0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF7EBE5BFC0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

0_2_00007FF7EBE44C20

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

Code function: 0_2_00007FF7EBE72078 GetProcessHeap,

0_2_00007FF7EBE72078

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE5BFC0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7EBE5BFC0
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE56350 SetUnhandledExceptionFilter,	0_2_00007FF7EBE56350
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE561AC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7EBE561AC
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE555AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7EBE555AC

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

NtCreateSection: Indirect: 0x7FF7EBE44235

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

Code function: 0_2_00007FF7EBE76860 cpuid

0_2_00007FF7EBE76860

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: GetLocaleInfoW,	0_2_00007FF7EBE71C34
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00007FF7EBE71B84
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: GetLocaleInfoW,	0_2_00007FF7EBE71A2C
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: EnumSystemLocalesW,	0_2_00007FF7EBE68DC0
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF7EBE71D60
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00007FF7EBE7132C
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: GetLocaleInfoW,	0_2_00007FF7EBE69200
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF7EBE717E0
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: EnumSystemLocalesW,	0_2_00007FF7EBE71748
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: EnumSystemLocalesW,	0_2_00007FF7EBE71678

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

Code function: 0_2_00007FF7EBE56090 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7EBE56090

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Adds / modifies Windows certificates

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.214.45	securetestconnect.app	United States		13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
securetestconnect.app	172.67.214.45	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://securetestconnect.app/connection/test	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

Source: qxn9Zvy1at.exe

Static PE information: certificate valid

Source: unknown

HTTPS traffic detected: 172.67.214.45:443 -> 192.168.2.4:49733 version: TLS 1.2

Source: qxn9Zvy1at.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

Code function: 0_2_00007FF7EBE6DC20 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,

0_2_00007FF7EBE6DC20

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

0_2_00007FF7EBE31550

Source: global traffic

DNS traffic detected: DNS query: securetestconnect.app

Source: unknown

HTTP traffic detected: POST /connection/test HTTP/1.1Content-Type: application/jsonUser-Agent: UA/1Host: securetestconnect.appContent-Length: 99Cache-Control: no-cache

Source: qxn9Zvy1at.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: qxn9Zvy1at.exe, 00000000.00000002.1629353878.0000015524989000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: qxn9Zvy1at.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: qxn9Zvy1at.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: qxn9Zvy1at.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: qxn9Zvy1at.exe, 00000000.00000002.1629353878.0000015524989000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.usertrust.
Source: qxn9Zvy1at.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: qxn9Zvy1at.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: qxn9Zvy1at.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: qxn9Zvy1at.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: qxn9Zvy1at.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: qxn9Zvy1at.exe, 00000000.00000002.1629483647.0000015524A1B000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000003.1628891408.0000015524A10000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000003.1628935115.0000015524A1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: qxn9Zvy1at.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: qxn9Zvy1at.exe, qxn9Zvy1at.exe, 00000000.00000002.1629533309.0000015524BFD000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000002.1629533309.0000015524BC0000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000003.1628918711.0000015524C03000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000002.1629585796.0000015524C04000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000002.1629353878.0000015524989000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000002.1629699590.00007FF7EBE8E000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://securetestconnect.app/connection/test
Source: qxn9Zvy1at.exe, 00000000.00000002.1629533309.0000015524BC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://securetestconnect.app/connection/testMain
Source: qxn9Zvy1at.exe, 00000000.00000002.1629533309.0000015524BFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://securetestconnect.app/connection/testn
Source: qxn9Zvy1at.exe, 00000000.00000002.1629533309.0000015524BC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://securetestconnect.app/f
Source: qxn9Zvy1at.exe, 00000000.00000002.1629533309.0000015524BC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://securetestconnect.app/r
Source: qxn9Zvy1at.exe, 00000000.00000002.1629483647.0000015524A1B000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000003.1628891408.0000015524A10000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000003.1628891408.0000015524A0D000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000003.1628935115.0000015524A1A000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000003.1628842693.0000015524A06000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000003.1628842693.00000155249FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: qxn9Zvy1at.exe, 00000000.00000003.1628918711.0000015524C03000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733

Source: unknown

HTTPS traffic detected: 172.67.214.45:443 -> 192.168.2.4:49733 version: TLS 1.2

Contains functionality to call native functions

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

0_2_00007FF7EBE43D30

Detected potential crypto function

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE43D30	0_2_00007FF7EBE43D30
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE6B5F0	0_2_00007FF7EBE6B5F0
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE5DCE4	0_2_00007FF7EBE5DCE4
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE64C78	0_2_00007FF7EBE64C78
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE6DC20	0_2_00007FF7EBE6DC20
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE61B30	0_2_00007FF7EBE61B30
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE679DC	0_2_00007FF7EBE679DC
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE639A0	0_2_00007FF7EBE639A0
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE6C930	0_2_00007FF7EBE6C930
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE5CFA0	0_2_00007FF7EBE5CFA0
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE66EAC	0_2_00007FF7EBE66EAC
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE5CDB8	0_2_00007FF7EBE5CDB8
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE70D88	0_2_00007FF7EBE70D88
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE60D6C	0_2_00007FF7EBE60D6C
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE6735C	0_2_00007FF7EBE6735C
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE72364	0_2_00007FF7EBE72364
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE6127C	0_2_00007FF7EBE6127C
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE74248	0_2_00007FF7EBE74248
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE5D188	0_2_00007FF7EBE5D188
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE5E870	0_2_00007FF7EBE5E870
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE6F858	0_2_00007FF7EBE6F858
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE5D7D0	0_2_00007FF7EBE5D7D0
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE6663C	0_2_00007FF7EBE6663C

Sample file is different than original file name gathered from version info

Source: qxn9Zvy1at.exe, 00000000.00000002.1629718940.00007FF7EBEDF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCloudNetCheck.exelJ vs qxn9Zvy1at.exe
Source: qxn9Zvy1at.exe, 00000000.00000003.1620517133.00000155250DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudNetCheck.exelJ vs qxn9Zvy1at.exe
Source: qxn9Zvy1at.exe	Binary or memory string: OriginalFilenameCloudNetCheck.exelJ vs qxn9Zvy1at.exe

Source: classification engine

Classification label: mal52.troj.evad.winEXE@3/0@1/1

Source: qxn9Zvy1at.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

File read: C:\Users\user\Desktop\qxn9Zvy1at.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\qxn9Zvy1at.exe "C:\Users\user\Desktop\qxn9Zvy1at.exe"
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"	Jump to behavior

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: qxn9Zvy1at.exe

Static PE information: certificate valid

Source: qxn9Zvy1at.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: qxn9Zvy1at.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: qxn9Zvy1at.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: qxn9Zvy1at.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: qxn9Zvy1at.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: qxn9Zvy1at.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: qxn9Zvy1at.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: qxn9Zvy1at.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: qxn9Zvy1at.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: qxn9Zvy1at.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: qxn9Zvy1at.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: qxn9Zvy1at.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: qxn9Zvy1at.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: qxn9Zvy1at.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Yara detected MofongoLoader

Source: Yara match	File source: 00000000.00000003.1619237473.0000015524A16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1619549911.0000015524A13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1629656340.00007FF7EBE31000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1617145667.00007FF7EBE31000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1620726266.0000015524BC3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1617672578.00000155249B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1620517133.0000015525031000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1619140980.0000015524A05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1620645632.00000155249ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1619366078.00000155249ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

0_2_00007FF7EBE44C20

PE file contains an invalid checksum

Source: qxn9Zvy1at.exe

Static PE information: real checksum: 0xbd572 should be: 0xb7269

PE file contains sections with non-standard names

Source: qxn9Zvy1at.exe

Static PE information: section name: _RDATA

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

0_2_00007FF7EBE31550

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

Code function: 0_2_00007FF7EBE6DC20 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,

0_2_00007FF7EBE6DC20

Source: qxn9Zvy1at.exe, 00000000.00000003.1628918711.0000015524C03000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000002.1629585796.0000015524C04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW7fvq
Source: qxn9Zvy1at.exe, 00000000.00000002.1629533309.0000015524BC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW{
Source: qxn9Zvy1at.exe, 00000000.00000002.1629353878.00000155249FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

Code function: 0_2_00007FF7EBE5BFC0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF7EBE5BFC0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

0_2_00007FF7EBE44C20

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

Code function: 0_2_00007FF7EBE72078 GetProcessHeap,

0_2_00007FF7EBE72078

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE5BFC0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7EBE5BFC0
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE56350 SetUnhandledExceptionFilter,	0_2_00007FF7EBE56350
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE561AC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7EBE561AC
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: 0_2_00007FF7EBE555AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7EBE555AC

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

NtCreateSection: Indirect: 0x7FF7EBE44235

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

Code function: 0_2_00007FF7EBE76860 cpuid

0_2_00007FF7EBE76860

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: GetLocaleInfoW,	0_2_00007FF7EBE71C34
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00007FF7EBE71B84
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: GetLocaleInfoW,	0_2_00007FF7EBE71A2C
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: EnumSystemLocalesW,	0_2_00007FF7EBE68DC0
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF7EBE71D60
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00007FF7EBE7132C
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: GetLocaleInfoW,	0_2_00007FF7EBE69200
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF7EBE717E0
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: EnumSystemLocalesW,	0_2_00007FF7EBE71748
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe	Code function: EnumSystemLocalesW,	0_2_00007FF7EBE71678

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

Code function: 0_2_00007FF7EBE56090 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7EBE56090

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Adds / modifies Windows certificates

Source: C:\Users\user\Desktop\qxn9Zvy1at.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob

Jump to behavior

ID:	1436569
Product:	CloudBasic
Start time:	02:33:09
Start date:	06.05.2024
Sample:	qxn9Zvy1at.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	1f6f7770d3a6339ae9719674be79f497
SHA1:	b50f4b90ded4697f031b75fb883c0e4eda53c90a
SHA256:	162b70c387c1a07d13b2f84112ac23bdb23dc1118fcddf2b9833434ad0e87b6c
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Windows Analysis Report
qxn9Zvy1at.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report qxn9Zvy1at.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
qxn9Zvy1at.exe