Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1523781
MD5: db7b43084f7a44e3290774e36d49ce41
SHA1: 1e1321a6e0c6f63b719daccdacbde4a10547021e
SHA256: a6da6ca04ee56f1e10dc25c07f938300fff7b3c1b50abe925b5f2b10b084216b
Tags: exeuser-Bitsight
Infos:

Detection

Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
AI detected suspicious sample
Drops PE files with a suspicious file extension
Machine Learning detection for sample
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Virustotal: Detection: 10% Perma Link
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Virustotal: Detection: 10% Perma Link
Multi AV Scanner detection for submitted file
Source: file.exe Virustotal: Detection: 16% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 97.5% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004062D5 FindFirstFileW,FindClose, 0_2_004062D5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402E18 FindFirstFileW, 0_2_00402E18
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_00114005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 10_2_00114005
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_0011494A GetFileAttributesW,FindFirstFileW,FindClose, 10_2_0011494A
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_00113CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 10_2_00113CE2
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_0011C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 10_2_0011C2FF
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_0011CD14 FindFirstFileW,FindClose, 10_2_0011CD14
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_0011CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 10_2_0011CD9F
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_0011F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 10_2_0011F5D8
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_0011F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 10_2_0011F735
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_0011FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 10_2_0011FA36
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00DC4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 15_2_00DC4005
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00DC494A GetFileAttributesW,FindFirstFileW,FindClose, 15_2_00DC494A
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00DCC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 15_2_00DCC2FF
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00DCCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 15_2_00DCCD9F
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00DCCD14 FindFirstFileW,FindClose, 15_2_00DCCD14
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00DCF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 15_2_00DCF5D8
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00DCF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 15_2_00DCF735
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00DCFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 15_2_00DCFA36
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00DC3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 15_2_00DC3CE2
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\182349\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\182349 Jump to behavior
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: bsQfWYzSEObgoEYPHvZYAafhPH.bsQfWYzSEObgoEYPHvZYAafhPH replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_001229BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile, 10_2_001229BA
Source: global traffic DNS traffic detected: DNS query: bsQfWYzSEObgoEYPHvZYAafhPH.bsQfWYzSEObgoEYPHvZYAafhPH
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.dr String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.dr String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.dr String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: file.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.dr String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000000.1687736473.0000000000179000.00000002.00000001.01000000.00000006.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr, 0000000F.00000002.3506982744.0000000000E29000.00000002.00000001.01000000.00000008.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.dr String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.dr String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Sp.0.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.dr String found in binary or memory: https://www.globalsign.com/repository/06
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004050CD
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_00124830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 10_2_00124830
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00DD4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 15_2_00DD4830
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_00124632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 10_2_00124632
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004044A5
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_0013D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 10_2_0013D164
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00DED164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 15_2_00DED164

System Summary
barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_00114254: CreateFileW,DeviceIoControl,CloseHandle, 10_2_00114254
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_00108F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 10_2_00108F2E
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx, 0_2_00403883
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_00115778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 10_2_00115778
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00DC5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 15_2_00DC5778
Creates files inside the system directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\AdoptionSections Jump to behavior
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\AdvisorUsb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\ProminentSavings Jump to behavior
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\ValuablePeninsula Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040497C 0_2_0040497C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406ED2 0_2_00406ED2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004074BB 0_2_004074BB
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000BB020 10_2_000BB020
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000B94E0 10_2_000B94E0
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000B9C80 10_2_000B9C80
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000D23F5 10_2_000D23F5
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_00138400 10_2_00138400
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000E6502 10_2_000E6502
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000E265E 10_2_000E265E
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000BE6F0 10_2_000BE6F0
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000D282A 10_2_000D282A
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000E89BF 10_2_000E89BF
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_00130A3A 10_2_00130A3A
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000E6A74 10_2_000E6A74
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000C0BE0 10_2_000C0BE0
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000DCD51 10_2_000DCD51
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_0010EDB2 10_2_0010EDB2
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_00118E44 10_2_00118E44
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_00130EB7 10_2_00130EB7
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000E6FE6 10_2_000E6FE6
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000D33B7 10_2_000D33B7
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000DF409 10_2_000DF409
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000CD45D 10_2_000CD45D
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000CF628 10_2_000CF628
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000B1663 10_2_000B1663
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000BF6A0 10_2_000BF6A0
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000D16B4 10_2_000D16B4
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000D78C3 10_2_000D78C3
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000D1BA8 10_2_000D1BA8
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000DDBA5 10_2_000DDBA5
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000E9CE5 10_2_000E9CE5
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000CDD28 10_2_000CDD28
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000D1FC0 10_2_000D1FC0
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000DBFD6 10_2_000DBFD6
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00D6B020 15_2_00D6B020
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00D694E0 15_2_00D694E0
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00D69C80 15_2_00D69C80
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00D823F5 15_2_00D823F5
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00DE8400 15_2_00DE8400
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00D96502 15_2_00D96502
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00D6E6F0 15_2_00D6E6F0
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00D9265E 15_2_00D9265E
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00D8282A 15_2_00D8282A
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00D989BF 15_2_00D989BF
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00D96A74 15_2_00D96A74
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00DE0A3A 15_2_00DE0A3A
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00D70BE0 15_2_00D70BE0
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00DBEDB2 15_2_00DBEDB2
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00D8CD51 15_2_00D8CD51
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00DE0EB7 15_2_00DE0EB7
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00DC8E44 15_2_00DC8E44
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00D96FE6 15_2_00D96FE6
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00D833B7 15_2_00D833B7
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00D7D45D 15_2_00D7D45D
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00D8F409 15_2_00D8F409
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00D816B4 15_2_00D816B4
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00D6F6A0 15_2_00D6F6A0
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00D61663 15_2_00D61663
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00D7F628 15_2_00D7F628
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00D878C3 15_2_00D878C3
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00D81BA8 15_2_00D81BA8
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00D8DBA5 15_2_00D8DBA5
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00D99CE5 15_2_00D99CE5
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00D7DD28 15_2_00D7DD28
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00D8BFD6 15_2_00D8BFD6
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00D81FC0 15_2_00D81FC0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: String function: 00D71A36 appears 34 times
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: String function: 00D80D17 appears 70 times
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: String function: 00D88B30 appears 42 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 004062A3 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: String function: 000C1A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: String function: 000D0D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: String function: 000D8B30 appears 42 times
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAutoIt3.exeB vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal92.expl.evad.winEXE@28/18@2/0
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_0011A6AD GetLastError,FormatMessageW, 10_2_0011A6AD
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_00108DE9 AdjustTokenPrivileges,CloseHandle, 10_2_00108DE9
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_00109399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 10_2_00109399
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00DB8DE9 AdjustTokenPrivileges,CloseHandle, 15_2_00DB8DE9
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00DB9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 15_2_00DB9399
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004044A5
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_00114148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 10_2_00114148
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004024FB CoCreateInstance, 0_2_004024FB
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_0011443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx, 10_2_0011443D
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif File created: C:\Users\user\AppData\Local\TradeOptimize Dynamics Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1460:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4584:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\nsn1295.tmp Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Sunset Sunset.bat & Sunset.bat
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe Virustotal: Detection: 16%
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Sunset Sunset.bat & Sunset.bat
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 182349
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "RefundAlienConservativeChapters" Coral
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Cause + ..\Shopper + ..\Edges + ..\Zinc + ..\Correlation + ..\Wearing + ..\Provision + ..\Res l
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Beginners.pif l
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & echo URL="C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\z"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Sunset Sunset.bat & Sunset.bat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 182349 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "RefundAlienConservativeChapters" Coral Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Cause + ..\Shopper + ..\Edges + ..\Zinc + ..\Correlation + ..\Wearing + ..\Provision + ..\Res l Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Beginners.pif l Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & echo URL="C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & exit Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\z" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_004062FC
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000D8B75 push ecx; ret 10_2_000D8B88
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000CCBDB push eax; retf 10_2_000CCBF8
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00D88B75 push ecx; ret 15_2_00D88B88

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif File created: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Jump to dropped file
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif File created: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_001359B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 10_2_001359B3
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000C5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 10_2_000C5EDA
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00DE59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 15_2_00DE59B3
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00D75EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 15_2_00D75EDA
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000D33B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 10_2_000D33B7
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif API coverage: 4.7 %
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr API coverage: 4.5 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004062D5 FindFirstFileW,FindClose, 0_2_004062D5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402E18 FindFirstFileW, 0_2_00402E18
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_00114005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 10_2_00114005
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_0011494A GetFileAttributesW,FindFirstFileW,FindClose, 10_2_0011494A
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_00113CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 10_2_00113CE2
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_0011C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 10_2_0011C2FF
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_0011CD14 FindFirstFileW,FindClose, 10_2_0011CD14
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_0011CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 10_2_0011CD9F
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_0011F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 10_2_0011F5D8
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_0011F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 10_2_0011F735
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_0011FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 10_2_0011FA36
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00DC4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 15_2_00DC4005
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00DC494A GetFileAttributesW,FindFirstFileW,FindClose, 15_2_00DC494A
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00DCC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 15_2_00DCC2FF
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00DCCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 15_2_00DCCD9F
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00DCCD14 FindFirstFileW,FindClose, 15_2_00DCCD14
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00DCF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 15_2_00DCF5D8
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00DCF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 15_2_00DCF735
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00DCFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 15_2_00DCFA36
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00DC3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 15_2_00DC3CE2
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000C5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 10_2_000C5D13
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\182349\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\182349 Jump to behavior
Source: Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
Source: TradeHub.scr, 0000000F.00000002.3506788424.0000000000C73000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Process information queried: ProcessInformation Jump to behavior
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_001245D5 BlockInput, 10_2_001245D5
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000C5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 10_2_000C5240
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000E5CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 10_2_000E5CAC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_004062FC
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_001088CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 10_2_001088CD
Enables debug privileges
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000DA354 SetUnhandledExceptionFilter, 10_2_000DA354
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000DA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_000DA385
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00D8A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_2_00D8A385
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00D8A354 SetUnhandledExceptionFilter, 15_2_00D8A354
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_00109369 LogonUserW, 10_2_00109369
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000C5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 10_2_000C5240
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_00111AC6 SendInput,keybd_event, 10_2_00111AC6
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_001151E2 mouse_event, 10_2_001151E2
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Sunset Sunset.bat & Sunset.bat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 182349 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "RefundAlienConservativeChapters" Coral Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Cause + ..\Shopper + ..\Edges + ..\Zinc + ..\Correlation + ..\Wearing + ..\Provision + ..\Res l Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Beginners.pif l Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5 Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\z" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\tradehub.url" & echo url="c:\users\user\appdata\local\tradeoptimize dynamics\tradehub.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\tradehub.url" & exit
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\tradehub.url" & echo url="c:\users\user\appdata\local\tradeoptimize dynamics\tradehub.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\tradehub.url" & exit Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_001088CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 10_2_001088CD
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_00114F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 10_2_00114F1C
Source: file.exe, 00000000.00000003.1665758727.0000000002B74000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003755000.00000004.00000800.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000000.1687565395.0000000000166000.00000002.00000001.01000000.00000006.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Beginners.pif, TradeHub.scr Binary or memory string: Shell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000D885B cpuid 10_2_000D885B
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000F0030 GetLocalTime,__swprintf, 10_2_000F0030
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000F0722 GetUserNameW, 10_2_000F0722
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_000E416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 10_2_000E416A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 0_2_00406805
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: TradeHub.scr Binary or memory string: WIN_81
Source: TradeHub.scr Binary or memory string: WIN_XP
Source: TradeHub.scr Binary or memory string: WIN_XPe
Source: TradeHub.scr Binary or memory string: WIN_VISTA
Source: TradeHub.scr Binary or memory string: WIN_7
Source: TradeHub.scr Binary or memory string: WIN_8
Source: Sp.0.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_0012696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 10_2_0012696E
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Code function: 10_2_00126E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 10_2_00126E32
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00DD696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 15_2_00DD696E
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr Code function: 15_2_00DD6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 15_2_00DD6E32
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1523781 Sample: file.exe Startdate: 02/10/2024 Architecture: WINDOWS Score: 92 44 bsQfWYzSEObgoEYPHvZYAafhPH.bsQfWYzSEObgoEYPHvZYAafhPH 2->44 48 Multi AV Scanner detection for dropped file 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Sigma detected: Search for Antivirus process 2->52 54 4 other signatures 2->54 10 file.exe 23 2->10         started        12 wscript.exe 1 2->12         started        signatures3 process4 signatures5 15 cmd.exe 2 10->15         started        60 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->60 19 TradeHub.scr 12->19         started        process6 file7 40 C:\Users\user\AppData\Local\...\Beginners.pif, PE32 15->40 dropped 46 Drops PE files with a suspicious file extension 15->46 21 Beginners.pif 4 15->21         started        25 cmd.exe 2 15->25         started        27 conhost.exe 15->27         started        29 7 other processes 15->29 signatures8 process9 file10 36 C:\Users\user\AppData\Local\...\TradeHub.scr, PE32 21->36 dropped 38 C:\Users\user\AppData\Local\...\TradeHub.js, ASCII 21->38 dropped 56 Multi AV Scanner detection for dropped file 21->56 58 Drops PE files with a suspicious file extension 21->58 31 cmd.exe 2 21->31         started        signatures11 process12 file13 42 C:\Users\user\AppData\...\TradeHub.url, MS 31->42 dropped 34 conhost.exe 31->34         started        process14
No contacted IP infos

Contacted Domains

Name IP Active
bsQfWYzSEObgoEYPHvZYAafhPH.bsQfWYzSEObgoEYPHvZYAafhPH unknown unknown