Windows Analysis Report
Rr6TGP9rEq.exe

Overview

General Information

Sample name: Rr6TGP9rEq.exe
renamed because original name is a hash value
Original sample name: 297270c13474cdcd006acc261c98050a.exe
Analysis ID: 1491466
MD5: 297270c13474cdcd006acc261c98050a
SHA1: 40fd185b12939822e4cc02da09ae3d38aea83306
SHA256: ddc4a98828ac3afea03294fd57189778ce57e305d075f08f0ace443352d5447b
Tags: exe
Infos:

Detection

RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected RisePro Stealer
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to check for running processes (XOR)
Contains functionality to inject threads in other processes
Drops PE files to the user root directory
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Writes to foreign memory regions
Abnormal high CPU Usage
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Rr6TGP9rEq.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: Rr6TGP9rEq.exe ReversingLabs: Detection: 52%
Source: Rr6TGP9rEq.exe Virustotal: Detection: 63% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: Rr6TGP9rEq.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0053053B CryptUnprotectData,LocalFree, 1_2_0053053B
Source: Rr6TGP9rEq.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0051E150 FindFirstFileA,GetLastError,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,GetFileAttributesA,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,__Mtx_unlock, 1_2_0051E150
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0054E2D0 SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CopyFileA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,CopyFileA,__Mtx_unlock,__Mtx_unlock, 1_2_0054E2D0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0051A750 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,__Mtx_unlock, 1_2_0051A750
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005ED997 FindClose,FindFirstFileExW,GetLastError, 1_2_005ED997
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005EDA1D GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 1_2_005EDA1D
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00530D83 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 1_2_00530D83
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 193.233.132.67:5000
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 193.233.132.67 193.233.132.67
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.67
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.67
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.67
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.67
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.67
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0052E0A0 recv,setsockopt,WSAStartup,getaddrinfo,closesocket,socket,connect,closesocket,freeaddrinfo,WSACleanup,freeaddrinfo, 1_2_0052E0A0
Source: Network traffic Suricata IDS: 2049060 - Severity 1 - ET MALWARE RisePro TCP Heartbeat Packet : 192.168.2.4:49730 -> 193.233.132.67:5000
Source: Network traffic Suricata IDS: 2046269 - Severity 1 - ET MALWARE [ANY.RUN] RisePro TCP (Activity) : 192.168.2.4:49730 -> 193.233.132.67:5000
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807110203.0000022DEE110000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808498843.000000C00011C000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp, XPCwyNRACAjFfEg.pdf.0.dr String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807110203.0000022DEE110000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808498843.000000C00011C000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp, XPCwyNRACAjFfEg.pdf.0.dr String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807110203.0000022DEE110000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808498843.000000C00011C000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp, XPCwyNRACAjFfEg.pdf.0.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807110203.0000022DEE110000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808498843.000000C00011C000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp, XPCwyNRACAjFfEg.pdf.0.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807110203.0000022DEE110000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808498843.000000C00011C000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp, XPCwyNRACAjFfEg.pdf.0.dr String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807110203.0000022DEE110000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808498843.000000C00011C000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp, XPCwyNRACAjFfEg.pdf.0.dr String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807110203.0000022DEE110000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808498843.000000C00011C000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp, XPCwyNRACAjFfEg.pdf.0.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807110203.0000022DEE110000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808498843.000000C00011C000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp, XPCwyNRACAjFfEg.pdf.0.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807110203.0000022DEE110000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808498843.000000C00011C000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp, XPCwyNRACAjFfEg.pdf.0.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807110203.0000022DEE110000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808498843.000000C00011C000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp, XPCwyNRACAjFfEg.pdf.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807110203.0000022DEE110000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808498843.000000C00011C000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp, XPCwyNRACAjFfEg.pdf.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1809631801.000000C000800000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C000400000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1756716858.0000022DEE0C0000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807457246.0000022DEDF70000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, Au3Check.exe, 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, bgEoRLupllWTRAp.pdf.0.dr String found in binary or memory: http://www.winimage.com/zLibDll
Source: Au3Check.exe String found in binary or memory: https://ipinfo.io/
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1809631801.000000C000800000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C000400000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1756716858.0000022DEE0C0000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807457246.0000022DEDF70000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, bgEoRLupllWTRAp.pdf.0.dr String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807110203.0000022DEE110000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808498843.000000C00011C000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp, XPCwyNRACAjFfEg.pdf.0.dr String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807110203.0000022DEE110000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808498843.000000C00011C000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp, XPCwyNRACAjFfEg.pdf.0.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: Au3Check.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Contains functionality to record screenshots
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0051AF30 GdiplusStartup,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,DeleteObject,GdipDisposeImage,DeleteObject,ReleaseDC,GdiplusShutdown, 1_2_0051AF30
Abnormal high CPU Usage
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00574577 1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00573E4B 1_2_00573E4B
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0059A03B 1_2_0059A03B
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005670F0 1_2_005670F0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005990E0 1_2_005990E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0053B0E9 1_2_0053B0E9
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0051E150 1_2_0051E150
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0059E140 1_2_0059E140
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0053E108 1_2_0053E108
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005E5100 1_2_005E5100
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00538129 1_2_00538129
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005411D0 1_2_005411D0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005191A0 1_2_005191A0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005AD1A0 1_2_005AD1A0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00529259 1_2_00529259
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00595240 1_2_00595240
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005B1270 1_2_005B1270
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00556230 1_2_00556230
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00551220 1_2_00551220
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0053E229 1_2_0053E229
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0054E2D0 1_2_0054E2D0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005512D8 1_2_005512D8
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0052A290 1_2_0052A290
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00543286 1_2_00543286
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0055F280 1_2_0055F280
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0059F360 1_2_0059F360
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00533330 1_2_00533330
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005A63D0 1_2_005A63D0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0056A3E8 1_2_0056A3E8
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0060B3B9 1_2_0060B3B9
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00554457 1_2_00554457
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00569440 1_2_00569440
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0053C470 1_2_0053C470
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005F646A 1_2_005F646A
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005124F0 1_2_005124F0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005AC4F0 1_2_005AC4F0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0059E490 1_2_0059E490
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0054B480 1_2_0054B480
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005F84A0 1_2_005F84A0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00596550 1_2_00596550
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0055B568 1_2_0055B568
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005955B0 1_2_005955B0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00598610 1_2_00598610
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005A0610 1_2_005A0610
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005A2610 1_2_005A2610
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0059F600 1_2_0059F600
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0055C620 1_2_0055C620
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0054B6C9 1_2_0054B6C9
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00526689 1_2_00526689
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00567770 1_2_00567770
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0054C7F0 1_2_0054C7F0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005477E0 1_2_005477E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00609824 1_2_00609824
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0059F810 1_2_0059F810
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005DF800 1_2_005DF800
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005A68C0 1_2_005A68C0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005248E0 1_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00599880 1_2_00599880
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005388A0 1_2_005388A0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005458A0 1_2_005458A0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005E2950 1_2_005E2950
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005E6970 1_2_005E6970
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0054D910 1_2_0054D910
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0059E910 1_2_0059E910
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0055A900 1_2_0055A900
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0055B939 1_2_0055B939
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005719E0 1_2_005719E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00547A47 1_2_00547A47
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0053EA60 1_2_0053EA60
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00525A10 1_2_00525A10
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00548A00 1_2_00548A00
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00534AD0 1_2_00534AD0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0056DA99 1_2_0056DA99
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0054CA80 1_2_0054CA80
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005DDA80 1_2_005DDA80
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005FBB6D 1_2_005FBB6D
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005C7B30 1_2_005C7B30
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00595B20 1_2_00595B20
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00533B28 1_2_00533B28
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00569BD9 1_2_00569BD9
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00528C58 1_2_00528C58
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00542C59 1_2_00542C59
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0056FC77 1_2_0056FC77
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005CDC70 1_2_005CDC70
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00596C00 1_2_00596C00
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0056EC08 1_2_0056EC08
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0056ACC9 1_2_0056ACC9
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005A2CF0 1_2_005A2CF0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005F2CE0 1_2_005F2CE0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00548C97 1_2_00548C97
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0059BD50 1_2_0059BD50
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00569D39 1_2_00569D39
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00527DC0 1_2_00527DC0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0053AE30 1_2_0053AE30
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00535E30 1_2_00535E30
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005FBEAF 1_2_005FBEAF
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00552F40 1_2_00552F40
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0056AF69 1_2_0056AF69
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00570F08 1_2_00570F08
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00593F80 1_2_00593F80
Found potential string decryption / allocating functions
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: String function: 0057E530 appears 42 times
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: String function: 005A2450 appears 83 times
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: String function: 005EFED0 appears 53 times
PE file contains more sections than normal
Source: Rr6TGP9rEq.exe Static PE information: Number of sections : 12 > 10
Sample file is different than original file name gathered from version info
Source: Rr6TGP9rEq.exe, 00000000.00000003.1807163393.0000022DEE257000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAu3Check.exeN vs Rr6TGP9rEq.exe
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAu3Check.exeN vs Rr6TGP9rEq.exe
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefilezilla.exe4 vs Rr6TGP9rEq.exe
Source: Rr6TGP9rEq.exe, 00000000.00000003.1807457246.0000022DEE0A8000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefilezilla.exe4 vs Rr6TGP9rEq.exe
Source: Rr6TGP9rEq.exe, 00000000.00000002.1809631801.000000C000800000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefilezilla.exe4 vs Rr6TGP9rEq.exe
Source: Rr6TGP9rEq.exe, 00000000.00000003.1807110203.0000022DEE110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAu3Check.exeN vs Rr6TGP9rEq.exe
Source: Rr6TGP9rEq.exe, 00000000.00000002.1811658210.00007FF682648000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename" vs Rr6TGP9rEq.exe
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C000400000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefilezilla.exe4 vs Rr6TGP9rEq.exe
Source: Rr6TGP9rEq.exe, 00000000.00000003.1756716858.0000022DEE0C0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefilezilla.exe4 vs Rr6TGP9rEq.exe
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808498843.000000C00011C000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAu3Check.exeN vs Rr6TGP9rEq.exe
Source: Rr6TGP9rEq.exe Binary or memory string: OriginalFilename" vs Rr6TGP9rEq.exe
Source: Rr6TGP9rEq.exe Binary or memory string: main.SLnQ0g
Source: Rr6TGP9rEq.exe Binary or memory string: g9ew8IJGJBP.slN5jqtgKy
Source: classification engine Classification label: mal100.troj.evad.winEXE@3/2@0/1
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005A47F0 GetLastError,GetVersionExA,FormatMessageW,LocalFree,FormatMessageA, 1_2_005A47F0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005A4110 GetVersionExA,CreateFileW,CreateFileA,GetDiskFreeSpaceW,GetDiskFreeSpaceA, 1_2_005A4110
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005191A0 CopyFileA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle, 1_2_005191A0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00556230 CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,CopyFileA,GetUserNameA,CopyFileA,SHGetFolderPathA,CoInitialize,CoCreateInstance,MultiByteToWideChar,CoUninitialize,ShellExecuteA, 1_2_00556230
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe File created: C:\Users\user\bgEoRLupllWTRAp.pdf Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe File created: C:\Users\user\AppData\Local\Temp\adobeDL8YL5T4U3oi Jump to behavior
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe File opened: C:\Windows\system32\0d1903ecbb5bf6ef80622a77571fd1ca577007d1dbc1da5f200c0b1d21d0fd50AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: Rr6TGP9rEq.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1809631801.000000C000800000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C000400000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1756716858.0000022DEE0C0000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807457246.0000022DEDF70000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, Au3Check.exe, 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, bgEoRLupllWTRAp.pdf.0.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1809631801.000000C000800000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C000400000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1756716858.0000022DEE0C0000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807457246.0000022DEDF70000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, bgEoRLupllWTRAp.pdf.0.dr Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: Rr6TGP9rEq.exe ReversingLabs: Detection: 52%
Source: Rr6TGP9rEq.exe Virustotal: Detection: 63%
Source: Au3Check.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: unknown Process created: C:\Users\user\Desktop\Rr6TGP9rEq.exe "C:\Users\user\Desktop\Rr6TGP9rEq.exe"
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe Process created: C:\Program Files (x86)\AutoIt3\Au3Check.exe "C:\Program Files (x86)\autoit3\Au3Check.exe"
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe Process created: C:\Program Files (x86)\AutoIt3\Au3Check.exe "C:\Program Files (x86)\autoit3\Au3Check.exe" Jump to behavior
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Section loaded: devobj.dll Jump to behavior
Source: Rr6TGP9rEq.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Rr6TGP9rEq.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: Rr6TGP9rEq.exe Static file information: File size 5046784 > 1048576
Source: Rr6TGP9rEq.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x142600
Source: Rr6TGP9rEq.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x354c00
Source: Rr6TGP9rEq.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Contains functionality to check for running processes (XOR)
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: CopyFileA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle, 1_2_005191A0
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0054C7F0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 1_2_0054C7F0
PE file contains an invalid checksum
Source: bgEoRLupllWTRAp.pdf.0.dr Static PE information: real checksum: 0x0 should be: 0x15af84
Source: XPCwyNRACAjFfEg.pdf.0.dr Static PE information: real checksum: 0x465e9 should be: 0x5125f
PE file contains sections with non-standard names
Source: Rr6TGP9rEq.exe Static PE information: section name: .xdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005EFA97 push ecx; ret 1_2_005EFAAA
Drops PE files
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe File created: C:\Users\user\XPCwyNRACAjFfEg.pdf Jump to dropped file
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe File created: C:\Users\user\bgEoRLupllWTRAp.pdf Jump to dropped file
Drops PE files to the user directory
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe File created: C:\Users\user\XPCwyNRACAjFfEg.pdf Jump to dropped file
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe File created: C:\Users\user\bgEoRLupllWTRAp.pdf Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe File created: C:\Users\user\bgEoRLupllWTRAp.pdf Jump to dropped file
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe File created: C:\Users\user\XPCwyNRACAjFfEg.pdf Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe File created: C:\Users\user\XPCwyNRACAjFfEg.pdf Jump to dropped file
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe File created: C:\Users\user\bgEoRLupllWTRAp.pdf Jump to dropped file
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005955B0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_005955B0
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found API chain indicative of sandbox detection
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Sandbox detection routine: GetCursorPos, DecisionNode, Sleep
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos, 1_2_00573A40
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Window / User API: threadDelayed 2176 Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Window / User API: threadDelayed 6244 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe Dropped PE file which has not been started: C:\Users\user\XPCwyNRACAjFfEg.pdf Jump to dropped file
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe Dropped PE file which has not been started: C:\Users\user\bgEoRLupllWTRAp.pdf Jump to dropped file
Found evasive API chain (date check)
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe API coverage: 3.7 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe TID: 3104 Thread sleep count: 54 > 30 Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe TID: 3104 Thread sleep count: 2176 > 30 Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe TID: 3104 Thread sleep time: -219776s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe TID: 3592 Thread sleep count: 350 > 30 Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe TID: 3104 Thread sleep count: 6244 > 30 Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe TID: 3104 Thread sleep time: -630644s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Last function: Thread delayed
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Last function: Thread delayed
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00579610 GetKeyboardLayoutList followed by cmp: cmp ecx, edx and CTI: je 0057962Ah 1_2_00579610
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00577750 GetKeyboardLayoutList followed by cmp: cmp eax, 0eh and CTI: jc 00577760h country: Hungarian (hu) 1_2_00577750
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00577780 GetKeyboardLayoutList followed by cmp: cmp eax, 21h and CTI: jc 00577790h country: Indonesian (id) 1_2_00577780
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00577D40 GetKeyboardLayoutList followed by cmp: cmp eax, 2eh and CTI: jc 00577D50h country: Upper Sorbian (hsb) 1_2_00577D40
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005A4670 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 005A46C1h 1_2_005A4670
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0051E150 FindFirstFileA,GetLastError,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,GetFileAttributesA,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,__Mtx_unlock, 1_2_0051E150
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0054E2D0 SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CopyFileA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,CopyFileA,__Mtx_unlock,__Mtx_unlock, 1_2_0054E2D0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0051A750 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,__Mtx_unlock, 1_2_0051A750
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005ED997 FindClose,FindFirstFileExW,GetLastError, 1_2_005ED997
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005EDA1D GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 1_2_005EDA1D
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00530D83 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 1_2_00530D83
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0051C430 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 1_2_0051C430
Source: Au3Check.exe, 00000001.00000003.1827137520.00000000009E8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}|
Source: Au3Check.exe, 00000001.00000003.1827137520.00000000009E8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&
Source: Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Au3Check.exe, 00000001.00000002.4167359109.000000000019D000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_A1A98C04
Source: Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_A1A98C048$
Source: Au3Check.exe, 00000001.00000002.4167604295.00000000009D3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}>
Source: Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}&
Source: Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000z
Source: Au3Check.exe, 00000001.00000002.4167604295.00000000009D3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Rr6TGP9rEq.exe, 00000000.00000002.1809939764.0000022DE89D8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll@@
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00524280 IsDebuggerPresent, 1_2_00524280
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00574577 CreateThread,FindCloseChangeNotification,Sleep,GetTempPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetCurrentDirectoryA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,shutdown,closesocket,WSACleanup,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,Sleep,Sleep,Sleep,GetModuleHandleA,GetProcAddress,GetCurrentProcess,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,CreateThread,CreateThread,CreateThread,FreeLibrary,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,CloseHandle,OutputDebugStringA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,Sleep,Sleep,shutdown,closesocket,Sleep, 1_2_00574577
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0054C7F0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 1_2_0054C7F0
Contains functionality to read the PEB
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00574577 mov eax, dword ptr fs:[00000030h] 1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00574577 mov ecx, dword ptr fs:[00000030h] 1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00574577 mov eax, dword ptr fs:[00000030h] 1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00574577 mov eax, dword ptr fs:[00000030h] 1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00574577 mov eax, dword ptr fs:[00000030h] 1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00574577 mov eax, dword ptr fs:[00000030h] 1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00574577 mov eax, dword ptr fs:[00000030h] 1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00574577 mov eax, dword ptr fs:[00000030h] 1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00574577 mov eax, dword ptr fs:[00000030h] 1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00574577 mov eax, dword ptr fs:[00000030h] 1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00574577 mov eax, dword ptr fs:[00000030h] 1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00574577 mov eax, dword ptr fs:[00000030h] 1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00574577 mov eax, dword ptr fs:[00000030h] 1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00574577 mov eax, dword ptr fs:[00000030h] 1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00574577 mov eax, dword ptr fs:[00000030h] 1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00574577 mov eax, dword ptr fs:[00000030h] 1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00574577 mov eax, dword ptr fs:[00000030h] 1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00574577 mov eax, dword ptr fs:[00000030h] 1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00573A40 mov eax, dword ptr fs:[00000030h] 1_2_00573A40
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00573A40 mov eax, dword ptr fs:[00000030h] 1_2_00573A40
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00573E4B mov eax, dword ptr fs:[00000030h] 1_2_00573E4B
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00573E4B mov eax, dword ptr fs:[00000030h] 1_2_00573E4B
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00573E4B mov eax, dword ptr fs:[00000030h] 1_2_00573E4B
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00573E4B mov eax, dword ptr fs:[00000030h] 1_2_00573E4B
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0052C0A0 mov eax, dword ptr fs:[00000030h] 1_2_0052C0A0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0052C0A0 mov eax, dword ptr fs:[00000030h] 1_2_0052C0A0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00524280 mov eax, dword ptr fs:[00000030h] 1_2_00524280
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0052C0A0 mov eax, dword ptr fs:[00000030h] 1_2_0052C0A0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00525498 mov eax, dword ptr fs:[00000030h] 1_2_00525498
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0052C0A0 mov eax, dword ptr fs:[00000030h] 1_2_0052C0A0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00574638 mov eax, dword ptr fs:[00000030h] 1_2_00574638
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005257B8 mov eax, dword ptr fs:[00000030h] 1_2_005257B8
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005757A3 mov eax, dword ptr fs:[00000030h] 1_2_005757A3
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005248E0 mov eax, dword ptr fs:[00000030h] 1_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005248E0 mov eax, dword ptr fs:[00000030h] 1_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005248E0 mov eax, dword ptr fs:[00000030h] 1_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005248E0 mov eax, dword ptr fs:[00000030h] 1_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005248E0 mov eax, dword ptr fs:[00000030h] 1_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005248E0 mov eax, dword ptr fs:[00000030h] 1_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005248E0 mov eax, dword ptr fs:[00000030h] 1_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005248E0 mov eax, dword ptr fs:[00000030h] 1_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005248E0 mov eax, dword ptr fs:[00000030h] 1_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005248E0 mov eax, dword ptr fs:[00000030h] 1_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005248E0 mov eax, dword ptr fs:[00000030h] 1_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005248E0 mov eax, dword ptr fs:[00000030h] 1_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0054D910 mov eax, dword ptr fs:[00000030h] 1_2_0054D910
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005759E5 mov eax, dword ptr fs:[00000030h] 1_2_005759E5
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00525A10 mov ecx, dword ptr fs:[00000030h] 1_2_00525A10
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0052FC20 mov eax, dword ptr fs:[00000030h] 1_2_0052FC20
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_0052C0A0 mov eax, dword ptr fs:[00000030h] 1_2_0052C0A0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00524DC9 mov eax, dword ptr fs:[00000030h] 1_2_00524DC9
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00574EC8 mov eax, dword ptr fs:[00000030h] 1_2_00574EC8
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00595240 GetProcessHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,CharNextA,CharNextA,CharNextA,CharNextA, 1_2_00595240
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005F006D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_005F006D
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005F45A4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_005F45A4
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005EFCC4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_005EFCC4

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe Memory allocated: C:\Program Files (x86)\AutoIt3\Au3Check.exe base: 510000 protect: page execute and read and write Jump to behavior
Contains functionality to inject threads in other processes
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00529F50 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 1_2_00529F50
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe Memory written: C:\Program Files (x86)\AutoIt3\Au3Check.exe base: 510000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe Memory written: C:\Program Files (x86)\AutoIt3\Au3Check.exe base: 510000 Jump to behavior
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe Memory written: C:\Program Files (x86)\AutoIt3\Au3Check.exe base: 3F0008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe Process created: C:\Program Files (x86)\AutoIt3\Au3Check.exe "C:\Program Files (x86)\autoit3\Au3Check.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00524400 cpuid 1_2_00524400
Contains functionality to query locales information (e.g. system language)
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: EnumSystemLocalesW, 1_2_0061004D
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 1_2_006100D8
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: GetLocaleInfoW, 1_2_0061032B
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 1_2_00610454
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 1_2_0051C430
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: GetLocaleInfoW, 1_2_006074CE
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: GetLocaleInfoW, 1_2_0061055A
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 1_2_00610630
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: GetLocaleInfoEx,FormatMessageA, 1_2_005ED793
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 1_2_0060FCBB
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: GetLocaleInfoW, 1_2_0060FEC0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: EnumSystemLocalesW, 1_2_0060FF67
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: EnumSystemLocalesW, 1_2_00606F4A
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: EnumSystemLocalesW, 1_2_0060FFB2
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe Queries volume information: C:\Program Files (x86)\AutoIt3\Au3Check.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe Queries volume information: C:\Program Files (x86)\AutoIt3\Au3Check.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005EF26A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime, 1_2_005EF26A
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00556230 CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,CopyFileA,GetUserNameA,CopyFileA,SHGetFolderPathA,CoInitialize,CoCreateInstance,MultiByteToWideChar,CoUninitialize,ShellExecuteA, 1_2_00556230
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_00609160 GetTimeZoneInformation, 1_2_00609160
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Code function: 1_2_005A4110 GetVersionExA,CreateFileW,CreateFileA,GetDiskFreeSpaceW,GetDiskFreeSpaceA, 1_2_005A4110
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 0.2.Rr6TGP9rEq.exe.c000800000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Rr6TGP9rEq.exe.22dedf70000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rr6TGP9rEq.exe.c000940000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rr6TGP9rEq.exe.c000380000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Au3Check.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rr6TGP9rEq.exe.c000a8c000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rr6TGP9rEq.exe.c000600000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Rr6TGP9rEq.exe.22dedf70000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Rr6TGP9rEq.exe.22dee0c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Au3Check.exe.510000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rr6TGP9rEq.exe.c000600000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Rr6TGP9rEq.exe.22dee0c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rr6TGP9rEq.exe.c000a8c000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rr6TGP9rEq.exe.c0004f2000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rr6TGP9rEq.exe.c00052c000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rr6TGP9rEq.exe.c000572000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rr6TGP9rEq.exe.c000940000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rr6TGP9rEq.exe.c000800000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1756716858.0000022DEE0C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1807457246.0000022DEDF70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1809631801.000000C000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Au3Check.exe PID: 7164, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\bgEoRLupllWTRAp.pdf, type: DROPPED

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 0.2.Rr6TGP9rEq.exe.c000800000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Rr6TGP9rEq.exe.22dedf70000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rr6TGP9rEq.exe.c000940000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rr6TGP9rEq.exe.c000380000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Au3Check.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rr6TGP9rEq.exe.c000a8c000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rr6TGP9rEq.exe.c000600000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Rr6TGP9rEq.exe.22dedf70000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Rr6TGP9rEq.exe.22dee0c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Au3Check.exe.510000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rr6TGP9rEq.exe.c000600000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Rr6TGP9rEq.exe.22dee0c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rr6TGP9rEq.exe.c000a8c000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rr6TGP9rEq.exe.c0004f2000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rr6TGP9rEq.exe.c00052c000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rr6TGP9rEq.exe.c000572000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rr6TGP9rEq.exe.c000940000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rr6TGP9rEq.exe.c000800000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1756716858.0000022DEE0C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1807457246.0000022DEDF70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1809631801.000000C000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Au3Check.exe PID: 7164, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\bgEoRLupllWTRAp.pdf, type: DROPPED
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1491466 Sample: Rr6TGP9rEq.exe Startdate: 12/08/2024 Architecture: WINDOWS Score: 100 19 Antivirus / Scanner detection for submitted sample 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 Yara detected RisePro Stealer 2->23 25 6 other signatures 2->25 6 Rr6TGP9rEq.exe 2 2->6         started        process3 file4 13 C:\Users\user\bgEoRLupllWTRAp.pdf, PE32 6->13 dropped 15 C:\Users\user\XPCwyNRACAjFfEg.pdf, PE32 6->15 dropped 27 Drops PE files to the user root directory 6->27 29 Writes to foreign memory regions 6->29 31 Allocates memory in foreign processes 6->31 33 Injects a PE file into a foreign processes 6->33 10 Au3Check.exe 2 6->10         started        signatures5 process6 dnsIp7 17 193.233.132.67, 49730, 5000 FREE-NET-ASFREEnetEU Russian Federation 10->17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
193.233.132.67
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU false