Windows Analysis Report
73zGJqwgDy.exe

Overview

General Information

Sample name: 73zGJqwgDy.exe
renamed because original name is a hash value
Original sample name: 9f2385763546df324e9ba77aa2ba312c890ffdbc0e6e379281ba321c0242318d.exe
Analysis ID: 1436571
MD5: 31c73b1faf2ac14c68e5ec56bfb6d3a6
SHA1: 27b775e8543494a1d3bb3a5d11ebe9b7fb9a401b
SHA256: 9f2385763546df324e9ba77aa2ba312c890ffdbc0e6e379281ba321c0242318d
Tags: exemofongo-loader
Infos:

Detection

MofongoLoader
Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected MofongoLoader
Found direct / indirect Syscall (likely to bypass EDR)
Adds / modifies Windows certificates
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain checking for process token information
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 73zGJqwgDy.exe Virustotal: Detection: 14% Perma Link
Source: 73zGJqwgDy.exe Static PE information: certificate valid
Source: unknown HTTPS traffic detected: 172.67.174.47:443 -> 192.168.2.6:49702 version: TLS 1.2
Source: 73zGJqwgDy.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B6B79F4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00007FF79B6B79F4
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B681530 _Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,Concurrency::details::WorkQueue::IsStructuredEmpty,InternetOpenW,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,Concurrency::details::WorkQueue::IsStructuredEmpty,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,InternetConnectW,InternetCloseHandle,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,Concurrency::details::WorkQueue::IsStructuredEmpty,HttpSendRequestA,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,InternetReadFile,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,MultiByteToWideChar,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,MultiByteToWideChar,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,InternetCloseHandle,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress, 0_2_00007FF79B681530
Source: global traffic DNS traffic detected: DNS query: checkcloudnet.com
Source: unknown HTTP traffic detected: POST /check/connection HTTP/1.1Content-Type: application/jsonUser-Agent: UA/1Host: checkcloudnet.comContent-Length: 99Cache-Control: no-cache
Source: 73zGJqwgDy.exe, 00000000.00000002.2060864742.0000016028B38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACe
Source: 73zGJqwgDy.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: 73zGJqwgDy.exe, 00000000.00000002.2060864742.0000016028B38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: 73zGJqwgDy.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: 73zGJqwgDy.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: 73zGJqwgDy.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 73zGJqwgDy.exe, 00000000.00000003.2033297065.0000016028B9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.usertrust.
Source: 73zGJqwgDy.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: 73zGJqwgDy.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: 73zGJqwgDy.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 73zGJqwgDy.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: 73zGJqwgDy.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: 73zGJqwgDy.exe, 00000000.00000002.2060864742.0000016028BD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkcloudnet.com/
Source: 73zGJqwgDy.exe, 00000000.00000002.2060864742.0000016028BD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkcloudnet.com/.
Source: 73zGJqwgDy.exe, 73zGJqwgDy.exe, 00000000.00000002.2061190770.00007FF79B6D7000.00000004.00000001.01000000.00000003.sdmp, 73zGJqwgDy.exe, 00000000.00000003.2060139022.0000016028D3F000.00000004.00000020.00020000.00000000.sdmp, 73zGJqwgDy.exe, 00000000.00000003.2060260743.0000016028BDE000.00000004.00000020.00020000.00000000.sdmp, 73zGJqwgDy.exe, 00000000.00000002.2060864742.0000016028BD8000.00000004.00000020.00020000.00000000.sdmp, 73zGJqwgDy.exe, 00000000.00000002.2060973626.0000016028BE1000.00000004.00000020.00020000.00000000.sdmp, 73zGJqwgDy.exe, 00000000.00000002.2061054833.0000016028D3F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkcloudnet.com/check/connection
Source: 73zGJqwgDy.exe, 00000000.00000002.2060864742.0000016028BD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkcloudnet.com/check/connection&
Source: 73zGJqwgDy.exe, 00000000.00000002.2060864742.0000016028B8B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkcloudnet.com/check/connectionPt
Source: 73zGJqwgDy.exe, 00000000.00000003.2060260743.0000016028BDE000.00000004.00000020.00020000.00000000.sdmp, 73zGJqwgDy.exe, 00000000.00000002.2060973626.0000016028BE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkcloudnet.com/check/connectionT
Source: 73zGJqwgDy.exe, 00000000.00000003.2060139022.0000016028D3F000.00000004.00000020.00020000.00000000.sdmp, 73zGJqwgDy.exe, 00000000.00000002.2061054833.0000016028D3F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkcloudnet.com/check/connectionUn
Source: 73zGJqwgDy.exe, 00000000.00000002.2060864742.0000016028B38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkcloudnet.com/check/connectionlowed
Source: 73zGJqwgDy.exe String found in binary or memory: https://sectigo.com/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown HTTPS traffic detected: 172.67.174.47:443 -> 192.168.2.6:49702 version: TLS 1.2
Contains functionality to call native functions
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B692160 shared_ptr,shared_ptr,GetModuleHandleA,shared_ptr,shared_ptr,GetModuleHandleA,shared_ptr,shared_ptr,GetModuleHandleA,shared_ptr,shared_ptr,GetModuleHandleA,shared_ptr,shared_ptr,GetModuleHandleA,shared_ptr,shared_ptr,GetModuleHandleA,shared_ptr,shared_ptr,GetModuleHandleA,CreatePipe,SetHandleInformation,CreateProcessA,CloseHandle,CloseHandle,NtCreateSection,CloseHandle,CloseHandle,CloseHandle,CloseHandle,GetCurrentProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,GetStdHandle,ReadFile,GetCurrentProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 0_2_00007FF79B692160
Detected potential crypto function
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B6BDF20 0_2_00007FF79B6BDF20
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B6AB4A0 0_2_00007FF79B6AB4A0
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B692160 0_2_00007FF79B692160
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B6A7CB0 0_2_00007FF79B6A7CB0
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B6BAB5C 0_2_00007FF79B6BAB5C
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B6B1B2C 0_2_00007FF79B6B1B2C
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B6BEA24 0_2_00007FF79B6BEA24
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B6A7AC8 0_2_00007FF79B6A7AC8
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B6A89F4 0_2_00007FF79B6A89F4
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B6B79F4 0_2_00007FF79B6B79F4
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B6AB9AC 0_2_00007FF79B6AB9AC
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B6A7E98 0_2_00007FF79B6A7E98
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B6B0E0C 0_2_00007FF79B6B0E0C
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B6AF448 0_2_00007FF79B6AF448
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B6A84E0 0_2_00007FF79B6A84E0
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B6AC300 0_2_00007FF79B6AC300
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B6AE170 0_2_00007FF79B6AE170
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B6BC134 0_2_00007FF79B6BC134
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B6B21AC 0_2_00007FF79B6B21AC
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B6B167C 0_2_00007FF79B6B167C
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B6B962C 0_2_00007FF79B6B962C
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B6B6698 0_2_00007FF79B6B6698
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B6A9580 0_2_00007FF79B6A9580
Sample file is different than original file name gathered from version info
Source: 73zGJqwgDy.exe, 00000000.00000003.2033094783.0000016029223000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCloudSecurity.exeX8 vs 73zGJqwgDy.exe
Source: 73zGJqwgDy.exe, 00000000.00000002.2061202582.00007FF79B728000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCloudSecurity.exeX8 vs 73zGJqwgDy.exe
Source: 73zGJqwgDy.exe Binary or memory string: OriginalFilenameCloudSecurity.exeX8 vs 73zGJqwgDy.exe
Source: classification engine Classification label: mal60.troj.evad.winEXE@3/0@1/1
Source: 73zGJqwgDy.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 73zGJqwgDy.exe Virustotal: Detection: 14%
Source: C:\Users\user\Desktop\73zGJqwgDy.exe File read: C:\Users\user\Desktop\73zGJqwgDy.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\73zGJqwgDy.exe "C:\Users\user\Desktop\73zGJqwgDy.exe"
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" Jump to behavior
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: 73zGJqwgDy.exe Static PE information: certificate valid
Source: 73zGJqwgDy.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: 73zGJqwgDy.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 73zGJqwgDy.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 73zGJqwgDy.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 73zGJqwgDy.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 73zGJqwgDy.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 73zGJqwgDy.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 73zGJqwgDy.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: 73zGJqwgDy.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 73zGJqwgDy.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 73zGJqwgDy.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 73zGJqwgDy.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 73zGJqwgDy.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 73zGJqwgDy.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
Yara detected MofongoLoader
Source: Yara match File source: 00000000.00000003.2032161793.0000016028D31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2031415601.0000016028BAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2029784787.00007FF79B681000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2031549611.0000016028BC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2033297065.0000016028B9A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2061150828.00007FF79B681000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2033207199.0000016028D31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2031259852.0000016028B9B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2033094783.0000016029181000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B690B50 _Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,CheckTokenMembership,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress, 0_2_00007FF79B690B50
PE file contains an invalid checksum
Source: 73zGJqwgDy.exe Static PE information: real checksum: 0xa7e3c should be: 0xa907f
PE file contains sections with non-standard names
Source: 73zGJqwgDy.exe Static PE information: section name: _RDATA
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B681530 _Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,Concurrency::details::WorkQueue::IsStructuredEmpty,InternetOpenW,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,Concurrency::details::WorkQueue::IsStructuredEmpty,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,InternetConnectW,InternetCloseHandle,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,Concurrency::details::WorkQueue::IsStructuredEmpty,HttpSendRequestA,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,InternetReadFile,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,MultiByteToWideChar,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,MultiByteToWideChar,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,InternetCloseHandle,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress, 0_2_00007FF79B681530
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT Jump to behavior
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B6B79F4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00007FF79B6B79F4
Source: 73zGJqwgDy.exe, 00000000.00000002.2060973626.0000016028BFC000.00000004.00000020.00020000.00000000.sdmp, 73zGJqwgDy.exe, 00000000.00000002.2060864742.0000016028B8B000.00000004.00000020.00020000.00000000.sdmp, 73zGJqwgDy.exe, 00000000.00000003.2060260743.0000016028BFC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B6A6CD0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF79B6A6CD0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B690B50 _Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,CheckTokenMembership,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress, 0_2_00007FF79B690B50
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B6BBE4C GetProcessHeap, 0_2_00007FF79B6BBE4C
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B6A6CD0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF79B6A6CD0
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B6A1060 SetUnhandledExceptionFilter, 0_2_00007FF79B6A1060
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B6A0EBC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF79B6A0EBC
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B6A02BC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF79B6A02BC

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\73zGJqwgDy.exe NtCreateSection: Indirect: 0x7FF79B692665 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B6C1040 cpuid 0_2_00007FF79B6C1040
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00007FF79B6BBB34
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00007FF79B6BB958
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: GetLocaleInfoW, 0_2_00007FF79B6BBA08
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: GetLocaleInfoW, 0_2_00007FF79B6B39E8
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_00007FF79B6BB100
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: EnumSystemLocalesW, 0_2_00007FF79B6BB44C
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: GetLocaleInfoW, 0_2_00007FF79B6BB800
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: EnumSystemLocalesW, 0_2_00007FF79B6BB51C
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00007FF79B6BB5B4
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: EnumSystemLocalesW, 0_2_00007FF79B6B35A8
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Code function: 0_2_00007FF79B6A0DA0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF79B6A0DA0
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Adds / modifies Windows certificates
Source: C:\Users\user\Desktop\73zGJqwgDy.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1436571 Sample: 73zGJqwgDy.exe Startdate: 06/05/2024 Architecture: WINDOWS Score: 60 13 checkcloudnet.com 2->13 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected MofongoLoader 2->19 7 73zGJqwgDy.exe 12 2->7         started        signatures3 process4 dnsIp5 15 checkcloudnet.com 172.67.174.47, 443, 49702 CLOUDFLARENETUS United States 7->15 21 Found direct / indirect Syscall (likely to bypass EDR) 7->21 11 msedge.exe 7->11         started        signatures6 process7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.174.47
 checkcloudnet.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
checkcloudnet.com 172.67.174.47 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://checkcloudnet.com/check/connection false
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown